This post is about two sisters from Monson, Massachusets.

A tornado destroyed part of Monson in 2011.  The sisters — Caitria and Morgan O’Neill — used “two laptops and a slow Internet connection” to create what they call  community powered recovery.

They now teach other communities how to do the same thing.  They turned their experience into a business.

Caitria and Morgan O’Neill describe their idea in a TED video.

You can watch the nine minute video at the end of this post.

But first a few appropriate words from the 2012 National Preparedness Report (with my emphasis):

Efforts to improve national preparedness have incorporated the whole community…. This whole community approach to preparedness recognizes that disasters affect all segments of society.  While the Federal Government plays a critical role in coordinating national-level efforts, it is communities and individuals who lead efforts to implement preparedness initiatives throughout the Nation….

Experience has shown that community members often serve as first responders…. Faith-based and voluntary organizations, furthermore, have demonstrated remarkable speed and capacity to establish operations to care for those in need after a disaster….

Of course, preparedness is not a new concept…. What is new is the unity of effort that whole community partners are bringing to the challenge, as well as the recognition that preparedness does not just involve spending resources—it involves changing mindsets and behaviors.

Here is the TED talk

A somewhat cynical colleague watched the video and sent me the following note:

I’m delighted at the confidence, even the certainty, that the 2 sisters have that ‘someone’ will do what is necessary.  Ah the human spirit!

Derecho forming in Midwest and barreling to the Mid-Atlantic

The implications of last week’s derecho are a matter of some debate. Please contribute to the debate through the comment function at the close of this post.

TIME: Friday. June 29, 2012.  Minimal notice.  Emerged in Southern Great Lakes during  mid-afternoon, hit National Capital Region between 10:30PM to 11:30PM.  (By statute the National Capital Region consists of the District of Columbia, 2 Maryland counties, 4 Virginia counties, and the City of Alexandria.)

SPACE: 650 miles deep (Northern Indiana to Atlantic seaboard), 270 miles wide (roughly Norfolk VA to Philadelphia PA).

CHARACTERISTICS: Fast-moving, averaging 60 miles per hour.  Hard hitting with sustained winds ranging between 60 to 90 miles-per-hour, very strong downbursts (and even stronger microbursts, producing tornado-like outcomes), widespread lightning strikes, and hail.  Wind-gusts of over 80 miles per hour were reported along an arc extending from Baltimore (MD) in the north to Richmond (VA) in the south.

Derecho’s are difficult to predict.  Most meteorologists are surprised the June 29 squall line survived its transit of the Appalachians.   Descending toward the coastal plain the derecho was quickly strengthened by the hot, humid atmospheric instability spawned by a record-breaking hot day.  The June 29 temperature in Washington DC had reached 104 degrees.

Again and again the June 29 derecho has been described as a “no-notice hurricane.”

FREQUENCY: Uncommon.  Usually less than one per year anywhere in North America.  Typically no more than one every four years in the mid-Atlantic.

CONSEQUENCES: Twenty-six deaths,  over 5 million without electricity for up to one week, widespread telecommunications outages (including 911 system failures), water quality concerns in West Virginia, suburban Maryland and other locations, transportation system stress due to reduced fuel pumping capabilities, traffic signal failures, and increased traffic, as a result of both the storm and Independence Day holiday.  Economic impact — from both physical destruction and loss-of-trade — not yet calculable.

ANALYSIS: Following is a Washington Post editorial that was written about 72 hours after the event.  It is, I suppose, a kind of consensus analysis.  I am concerned this consensus gives insufficient attention to several strategic realities.  The Post editorial board’s original analysis is in italics.  My counter-argument is indented non-italic.

Powerful storm exposes lack of disaster preparedness

It’s been awhile since I have managed to post something. The last wholehearted attempt I made was a reflection on May Day observances that I never finished. For some reason or another I could never come to a conclusion to that piece that really satisfied me. At least not in the sense that I was getting to the heart of what I was watching on the news and in the streets, especially here in Seattle. As a result, it sits mouldering in my queue still waiting for rewrite or deletion.

Somehow, though, a few of the themes I struggled with just a couple of weeks ago came into sharper focus for me this week in the form of two articles I read. The first described the effects of growing income inequality on individual mortality. Put simply, those who earn the least can not only expect to live shorter lives, but they can also expect their longevity to diminish as the length or the depth of the gap widens between their earnings and those at the top. The article cites other studies’ speculation as to the causes of income inequality-related mortality while noting that the academic research cited has reached no firm conclusion about specific causes, especially over the short-term. At the same time, the study provides compelling evidence of the cumulative effect of income inequality on health.

The second article suggested that crime really does pay. Or rather that unethical behavior or at the very least less-than-ethical behavior has its rewards. The Harvard Business Review item noted a recent study that displayed significant gaps between the earnings of those men who self-reported improvements in ethical awareness and subsequent ethical conduct as a result of exposure to ethical principles and practices in their post-graduate management curricula. (Sorry, no word on how the women did. Let’s just hope it was considerably better than the boys.) Sadly, but probably not too surprisingly, those who earned the most reported little awareness of or influence from exposure to ethics while earning their MBAs.

These two items got me reflecting anew on a third item that aired on May 1. NPR’s Planet Money Team produced a truly exceptional segment entitled Psychology of Fraud: Why Good People Do Bad Things. This piece examined the story of Toby Groves, a convicted mortgage fraudster who convinced colleagues to conspire with him to create a ghost mortgage, a very real loan for an utterly fictitious property, to cover mismanagement of his business.

In the simplest terms, Toby and his colleagues justified their actions by framing the problem in two very simple but compelling ways. First, instead of seeing their actions as unethical, which they openly acknowledged they were, they reframed the decision as one of business necessity. They supported this framing in a second but equally compelling way by seeing their actions as a personal favor for a trusted friend and valued colleague. In other words, they saw Toby as someone they liked and enjoyed working with who now needed a small favor from them as opposed to the illegal and craven actions of a desperate man at his wits’ end. In short, their decisions to be helpful were aided by the notion that Toby Groves was a business associate, his business was at risk due to financial decisions they all make, and the actions he requested of them (which he openly acknowledged could get them all in heaps of trouble) required little effort on their part and were actions in which they were routinely engaged as part of their normal and legitimate business practices. Clearly, the road to hell — and prison — is paved with good intentions.

If the NPR story had any shortcomings, it was in the lack of resolution I felt from the reforms they suggested might arise to combat the problem of inappropriate cognitive framing of ethical dilemmas in the business environment. How, I wondered, might it help the situation to remind people on the forms they are signing that lying or misrepresentation are unethical or illegal? Don’t they know this already? And who reads the fine print anyway? Sure, it might help to change auditors frequently to keep them from becoming too cosy with those they oversee. But don’t we want auditors to be both rational and fair? Does this not suggest a need for some sort of empathy? How much then is too much?

Clearly, the dilemmas we face are becoming more complex just as they problems that give rise to them become more complicated and even convoluted. The credit crunch that led to the lingering economic stagnation we still endure, the ideological and political excesses of violent extremists here and abroad, and the inability to reconcile political differences for the common good not only reflect certain states of mind but also provoke powerful emotions in us that arise largely from our own cognitive biases. The challenge then is not to oversimplify any of these issues but to see them for what they are: Situations that require us to apply many different frames to achieve not only the proper resolution but sufficient perspective to interpret correctly what sits before our eyes.

We can look upon the health effects of income inequality as the sad but unintended consequences of an otherwise salutary economic system or an injustice that demands redress. We can reward unethical conduct in the workplace and accept unequal rewards for those who look after themselves before others or we can hold one another to account for what each of us thinks, says and does. If it’s true that the road to hell is paved with good intentions, then it’s also worth noting that there’s more than one way to skin a cat and we should try them all rather than looking for the easy way out.

A few weeks ago I attended a regional summit of emergency managers, firefighters, law enforcement and related public officials for a major city and its metro region. My task was to invite these jurisdictions and their agencies to participate in an exercise program that would feature a catastrophic event in another large city a few hundred miles away.

In case of such a horrific event,  the creative assistance of those at the summit would be needed. The exercise would especially focus on the movement of supplies toward the impact zone.

First question, “Why should we share our supplies?”

My response, “Thanks for the chance to clairfy, I’m not talking about sharing your emergency inventory or anything owned by your agencies. The focus would be on facilitating a surge of private sector supply chains, private sector goods — water, food, and pharma, for example — that either originate in this area or need to move through this area.”

“I understood you the first time,” the questioner stated. “Why should we do that? If there’s a real catastrophe in (insert city name) we’ll probably need everything we can get here.”

While I offered some answers and justifications, my responses were not persuasive. Several agreed with the need to keep what they had. Others probably disagreed, but they were quiet. If there is ever a real need, I fully expect the first urban area will move mountains to help the second urban area. But for a whole host of reasons, they were not at all interested in thinking through the problems and process in advance.

Last week I was in another meeting in a different urban area, this time with private sector leaders from power, communications, water, food, pharma, banking, trucking, medical care and other key sectors. The issue was more or less the same: it is a very bad day in the big city. Your local capability is offline, even flattened. Will you work with us and participate in some exercises to think through the problem of re-supply?

The response was enthusiastic. “It’s a very interesting problem,” one offered. “Thinking through this worst-case will help us with other everyday issues,” another said. After a wide-ranging conversation one of the private sector leaders at the table stated, “This is in our self-interest. It is also in the common interest. We should have done this a long time ago.”

In each case there are back-stories, details that help explain the very different reactions. This is not an issue of good versus bad. But it is a story of two very different mind-sets.

After a few years –a lifetime? — of such contrasting experiences, I have a heuristic, a rule of thumb: Humankind is divided between those who are inclined to control and those who are inclined to create. There is a continuum with nearly everyone suspended somewhere between these two extremes (among other axes).  Where do you fall?

Those who seek to control tend to be more pessimistic. Those who seek to create tend to be more optimistic.

Pessimism may have roots in the past, but is expressed prospectively.  Optimism is mostly a matter of how the future is expected to unfold.  Each is an orientation that can skew observation and as a result be self-fulfilling.  At the extremes, both pessimism and optimism are probably forms of psychological self-protection.  Some recent research seems to suggest genetic predispositions are also in play.

The two mind-sets can be complementary, but more often clash and compete. The “control-freak” is an idiot. The “innovator” is a fool.

Any meaningful homeland security strategy must find a way to blend and benefit from both mind-sets and apply them in the here-and-now. Doing so systematically is something that requires much more attention than we currently invest.

–+–

Late Thursday afternoon I received a copy of the National Preparedness Report, the first annual as required by PPD-8.  It deserves a closer read and more complete analysis.   But even on a first read, it is easy to perceive the struggle between control or create.  In raw form  the tension of these worldviews warps the strength of each.  When the tension is synthesized, the resilience of the whole system is enhanced.

–+–

IT WAS THE BEST OF TIMES, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair, we had everything before us, we had nothing before us, we were all going direct to Heaven, we were all going direct the other way…

“… I see a beautiful city and a brilliant people rising from this abyss, and, in their struggles to be truly free, in their triumphs and defeats, through long long to come, I see the evil of this time and of the previous time of which this is the natural birth, gradually making expiation for itself and wearing out.” (A Tale of Two Cities by Charles Dickens)

It is not yet clear if the Cybersecurity Act of 2012 will be taken up by the whole Senate — as previously announced — or disappear into committee review while under sustained attack by those opposed.

Senator John McCain, one of those opposed, has promised a competing piece of legislation:

The fundamental difference in our alternative approach is that we aim to enter into a cooperative relationship with the entire private sector through information sharing, rather than an adversarial one with prescriptive regulations. Our bill, which will be introduced when we return from the Presidents’ Day recess, will provide a common-sense path forward to improve our nation’s cybersecurity defenses.

Last Friday I outlined the perceived — in my judgment, real — tension between collaboration and compliance that any approach to effective cybersecurity will require. The real debate is over how to resolve this tension: with more dependence on voluntary cooperation or the threat of regulation. (To be clear, the proposal unveiled on February 14 by Senators Lieberman, Collins, and others does not create new regulations per se, but it does initiate a public-private process that would eventually create a regulatory regime.)

Some private sector organizations have welcomed the opportunity to frame-up the process, others are ready to do what they can to stop any movement to regulation. So far the private sector line-up on each side seems mostly to reflect revenue streams. Those that may make money on increased attention to cybersecurity are in favor of the current proposal, those that see cybersecurity mostly as a cost are opposed. (The cost-benefit discussion is, so far, not very sophisticated on either side.)

While the efficacy of the new bill is debatable, it is clear the current approach — depending almost entirely on voluntary collaboration — has not worked. The weakest links in the cybersecurity system are the least willing to show up, talk turkey, and truly collaborate in sharing information and changing behavior. What do you do when “pretty please”, earnest presentations on self-interest, and peer pressure do not work? What do you do when neglect by one “house” on the block endangers the safety of the entire block (or city)?

Sanctions are needed. But no matter how tough, sanctions will not be sufficient. Whatever sack of sanctions are available, unless the sanctions are used to craft collaboration (rather than mere compliance) cybersecurity will not be enhanced.  The threat of regulatory sanctions may encourage collaboration, but a rigid regulatory approach alone will only achieve minimal compliance, which in cyberspace will always lag behind new threats and vulnerabilities.

Whichever of the current sides win, execution will be key. The current legislation addresses execution primarily under Title III through a DHS National Center for Cybersecurity and Communications. The new entity would combine several existing offices, and would be directed by a Presidential appointee confirmed by the Senate. Here are the director’s duties enumerated in the current legislation:

(1) manage Federal efforts to secure, protect, and ensure the resiliency of the Federal information infrastructure, national information infrastructure, and national security and emergency preparedness communications infrastructure of the United States, working cooperatively with appropriate government agencies and the private sector;

(2) support private sector efforts to secure, protect, and ensure the resiliency of the national information infrastructure;

(3) prioritize the efforts of the Center to address the most significant risks and incidents that have caused or are likely to cause damage to the Federal information infrastructure, the national information infrastructure, and national security and emergency preparedness communications infrastructure of the United States;

(4) ensure, in coordination with the privacy officer designated under subsection (j), the Privacy Officer appointed under section 222, and the Director of the Office of Civil Rights and Civil Liberties appointed under section 705, that the activities of the Center comply with all policies, regulations, and laws protecting the privacy and civil liberties of United States persons; and

(5) perform such other duties as the Secretary may require relating to the security and resiliency of the Federal information infrastructure, national information infrastructure, and the national security and emergency preparedness communications infrastructure of the United States.

Title III continues for another 28 pages. Included under Authorities and Responsibilities of the Center, “serve as the focal point for, and foster collaboration between, the Federal Government, State and local governments, and private entities on matters relating to the security of the national information infrastructure.”

On page 114 of the proposed legislation a supervisor training program for the Center is set out. The current language suggests Senator Akaka and his staff have persisted in pushing his perennial concerns. It’s all good. It could be better.

The currently proposed training program  is mostly internally focused. I suggest language be added to focus on mission achievement. Consider for a moment a supervisor training curriculum focused on just one of the duties listed above, ” support private sector efforts to secure, protect, and ensure the resiliency of the national information infrastructure”

What is the nature of the private sector?

What are the private sector’s current efforts related to cyberspace?

What does “secure”, “protect”, and “ensure the resiliency” of cyberspace mean?

What is the national information infrastructure?

What does it mean to “support” the private sector? Why this verb rather than another?

That would be an interesting — valuable — curriculum.   Develop similar curricula around each of the statutory goals, include private sector participants in the curriculum… and a whole new approach to private-public collaboration might be cultivated.

This curriculum should  include a heavy dose of culture, a culture of private-public collaboration.  If the Center becomes a cyber-SEC none of us will be any safer.   Cybersecurity cannot focus on accountability after-the-fact.  The focus must be on cultivating a culture of prevention and resilience, not compliance.

For this purpose, I propose the Akaka Academy for Cybersecurity give close attention to the way the Coast Guard cultivates a collaborative relationship with owners and operators of marine vessels. Just for a taste of what I mean, consider the implications of the following written instruction from a Coast Guard flag officer… and this is not atypical, this approach is entirely consistent with  standard Coast Guard practice.

The Coast Guard’s objective is to administer vessel inspection laws and regulations so as to promote safe, well equipped vessels that are suitable for their intended service. It is not the Coast Guard’s intent to place unnecessary economic and operational burdens upon the marine industry. In determining inspection requirements and procedures, inspection personnel must recognize and give due consideration to the following factors:

• Delays to vessels, which can be costly, need to be balanced against the risks imposed by continued operation of the vessel, with safety of life, property, and the environment always the predominant factor over economics;
• Certain types of construction, equipment, and/or repairs are more economically advantageous to the vessel operator and can provide the same measure of safety;
• Some repairs can be safely delayed and can be more economically accomplished at a different place and time;
• The overall safety of a vessel and its operating conditions, such as route, hours of operations, and type of operation, should be considered in determining inspection requirements;
• Vessels are sometimes subject to operational requirements of organizations and agencies other than the Coast Guard; and
• A balance must be maintained between the requirements of safety and practical operation. Arbitrary decisions or actions that contribute little to the vessel’s safety and tend to discourage the construction or operation of vessels must be avoided.

I know of no better example of effective private-public collaboration than that of the U.S. Coast Guard with the industry it helps regulate, serve, and sometimes save.  It is a cultural model well-suited to the cyber domain.

On Valentine’s Day the Senate Homeland Security and Governmental Affairs Committee released a proposed Cybersecurity Act of 2012.  The Committee’s Chairman, Joseph Lieberman (I-CT) and ranking member, Susan Collin’s (R-ME) are co-sponsors.

The roll-out has been impressive.  Check out the Committee’s website for gobs of additional background.  All-star testimony was taken on Thursday.

My HLSWatch colleague, Jessica Herrera-Flanigan has authored a persuasive piece for Roll Call pushing for quick adoption.  Rapid approval by the Senate is a big part of the legislative strategy.

Every cyber-specialist, like Jessica, I have communicated with supports the legislation.  Those on the Hill who have come out against are – so far – objecting mostly to procedural or cost concerns. (The best political update I could find on Friday morning is from Ellen Nakashima at the Washington Post.)

Yesterday I used a cross-continent flight to read the 205 pages of statutory prose.  Politico called it a “door-stop of a bill.”

Taken at face-value the language could hardly be more benign.

The clear intent is to prevent when possible – and mitigate when prevention is not possible – “the risk of national or regional catastrophic damage within the United States caused by damage or unauthorized access to information infrastructure…”

To achieve this and similar goals the legislation frames and facilitates a rather intricate process of private-public consultations, information exchange, risk analyses, certification, audits, education, research, and exercises.

In a whole host of ways the language implicitly – but quite obviously – acknowledges that cyber security is not possible without extraordinary – just for emphasis: extra-ordinary – cooperation between government and the private sector and between various elements of the private sector.

As a result, the proposed legislation goes to amazing lengths to encourage information exchange on cyber threats, vulnerabilities, and more.  For example, here are three sections of Title VII Information Sharing (page 163):

(d) EXEMPTION FROM PUBLIC DISCLOSURE.—An cybersecurity threat indicator disclosed by a non-Federal entity to a cybersecurity exchange under subsection (a) shall be— (1) exempt from disclosure under section 552(b)(3) of title 5, United States Code, or any comparable State law; and (2) treated as voluntarily shared information under section 552 of title 5, United States Code, or any comparable State law.

(e) EXEMPTION FROM EX PARTE LIMITATIONS.— Any cybersecurity threat indicator disclosed by a non-Federal entity to a cybersecurity exchange under subsection (a) shall not be subject to the rules of any governmental entity or judicial doctrine regarding ex parte communications with a decision making official.

(f) EXEMPTION FROM WAIVER OF PRIVILEGE.—Any cybersecurity threat indicator disclosed by a non-Federal entity to a cybersecurity exchange under subsection (a) may not be construed to be a waiver of any applicable privilege or protection provided under Federal, State, tribal, or territorial law, including any trade secret protection.

Please, please, please let us know when you are in danger, we promise not to hold you accountable. The federal government is made into a worried parent trying to protect a troubled teenager.

No one tells me the cyberthreat is overdone.   Most tell me it is already worse than is generally known. Threats, vulnerabilities, and consequences are expected to grow.

Everyone seems ready to agree – at least behind closed-doors – the legislation is well-intended and designed to tee-up a meaningful process of private-public consultations, not pre-ordain the results of that consultation.  If anything, many cybersecurity mavens find the proposed language entirely too tentative and toothless.

But one Chief Information Officer I talked with calls the bill a “Trojan horse, superficially attractive and deeply dangerous.”  According to this person the legislation is fundamentally flawed because it moves the focus of discussion from collaboration to compliance.  “As soon as compliance is the agenda,” he says, “the lawyers take over. We will hardly ever see a technologist again.  That’s not what we need.  They are going to replace a messy, difficult, but realistic process of collaboration with an orderly and mostly meaningless process of certification and compliance.  Risk management is hard.  Compliance is easy.  In one case you invest in real outcomes, in the other you create a legally defensible illusion.”

When I outlined the CIO’s critique to a self-defined “Hill Rat” (and lawyer) who has been involved in cybersecurity, he responded, “The lawyers are already too involved.  That’s been a problem.  It’s been easy for government relations people to show up.   We need CIOs, CTOs, CFOs, COOs, and CEOs.  One way to read the legislation is as a small but very sharp blade to cut through the veil of lawyers behind which too many of our cyber-assets are obscured.  No one wants to regulate, but we need to get real about the risk.”

As the Congressional staffer continued he went even further, “You know what?  This is really an anti-regulation bill. Unless we do something like this and get much better at the drill than today, a major system is going to be taken down and people will die.  Russian mafia, Iranian Quds, Chinese class project – who knows who?  Then just imagine the rush to regulation.”

Maybe I am overly influenced by two men who were each speaking with evident candor and concern.   But I come away thinking they are probably both right.

The issue is not so much current Congressional intent as longer-term execution.  Whenever legislation is adopted, how can we keep the focus on substantive collaboration?  Next Friday I will offer a suggestion.

Last week a former client — I had not heard from him in over three years — called me in a (typically) titanic rage.

With expletives deleted, he said something similar to: “@$%& can they be serious about supply chain security without involving me?  And @##$%! is this about increased redundancy, do they have any ##$%^ idea how much that could cost?”  And so on.

“Surprised to hear from you Gary,” I replied (not his real name).  ”Been a long time.”

One of the reasons I retired was bombastic, reality-distorting,  self-serving, narrow-minded, tactically-driven, context-challenged so-called leaders like Gary.   When an American business implodes, it’s usually got more than one Gary scattered among its executive ranks.  They are a minority, but sadly very active.

Since he evidently reads this blog, I guess that bridge has been effectively burned and pushed into the chasm for better or worse.

Considerably more frustrating was an email received yesterday.   A national organization closely related to the supply chain industry had just completed a meeting of its government affairs committee.  At the meeting they reviewed the new National Strategy for Global Supply Chain Security.  The note distributed indicates they will take “a wait and see position until they can  determine whether  this is in fact a priority initiative for the Administration.”

Eleven months ago the squishy soft underbelly of the global supply chain was nakedly exposed by a hard-hit to an economically peripheral area of Japan.  In the fourth quarter of 2011 the same sort of expensive embarrassment was produced by Thai flooding.    These events seriously affected the bottom-lines of some top global brands. Billions of dollars in value and productivity evaporated.  Other examples could be offered, fortunately none — yet — involving crucial agricultural, industrial or financial keystones.

In the context of these real-world challenges the President personally signs-out a new National Strategy.  He sends a cabinet secretary to the World Economic Forum to unveil the new strategy.  He orders follow-on work to be done.

Many are arguing this is a top-tier national security concern.  The President sets out a fairly narrow time-frame in which to come back with an implementation plan.

To which at least some in  private sector respond with, “Well, let’s wait and see”.  I almost feel the need to join my former client in yelling !@#$%?

The United States has the most advanced domestic supply chain in the world.  It is fundamental to our economic competitiveness and our way of life.   We are a key player in a global supply chain that is increasingly complex and on which we more and more depend.  This is a national priority.  It is also — mostly — a private sector responsibility.

The National Strategy is explicit regarding its goal to “engage government, private sector, and international stakeholders. The purpose of this engagement is to seek specific recommendations to inform and guide our collaborative implementation of the Strategy.”

The President of the United States is asking for your help.  He is giving the supply chain community the opportunity to get ahead of this problem and shape the solution-space.  This is a fantastic moment for a good dose of enlightened self-interest.

Gary is a bomb-thrower, but at least he wants to be involved.  I hope some of his more constructive peers accept the invitation.

Yesterday several DHS officials and others were on the Hill giving testimony related to the new National Strategy for Global Supply Chain Security.  Please see: http://homeland.house.gov/hearing/subcommittee-hearing-balancing-maritime-security-and-trade-facilitation-protecting-our-ports

Three quick impressions:

1. Constructive example of “stovepipes” being brought together around a supposedly stovepipe-busting strategy.

2. The tension between security and resilience is real, persistent, and difficult to effectively engage.   Security is tough enough.  Resilience requires even more creativity.

3. It is striking to have a hearing on this topic without hearing directly from the private sector as well.

This is an early step in rolling-out the new strategy.  Much more to come.

Yesterday at the World Economic Forum in Davos, Switzerland Secretary Napolitano unveiled the new National Strategy for Global Supply Chain Security (1.5 megabyte PDF).  The President signed-out the document on Monday.

The strategy offers two goals:

Goal 1: Promote the Efficient and Secure Movement of Goods – The first goal of the Strategy is topromote the timely, efficient flow of legitimate commerce while protecting and securing the supply chain from exploitation, and reducing its vulnerability to disruption. To achieve this goal we will enhance the integrity of goods as they move through the global supply chain. We will also understand and resolve threats early in the process, and strengthen the security of physical infrastructures, conveyances and information assets, while seeking to maximize trade through modernizing supply chain infrastructures and processes.

Goal 2: Foster a Resilient Supply Chain – The second goal of the Strategy is to foster a global supply chain system that is prepared for, and can withstand, evolving threats and hazards and can recover rapidly from disruptions. To achieve this we will prioritize efforts to mitigate systemic vulnerabilities and refine plans to reconstitute the flow of commerce after disruptions.

In my judgment we are much closer to achieving “efficient and secure movement” than we are to a “resilient supply chain”.  The new strategy could help with each, but the tougher task will be the effort “to mitigate systemic vulnerabilities.”

On January 11 the Wall Street Journal reported,

After a decade of streamlining their supply chains to make them less costly, the natural disasters and political upheavals that marked 2011 showed many multinational companies just how vulnerable those links have become.

A senior supply chain executive recently told me (clearly depending on me to protect his name and the name of his firm), “We have several known choke-points. I’m sure there are many more we don’t know about.  It won’t take a major disaster to disrupt supply, just a couple of unusual, probably simultaneous accidents.  I think — hope — there would be a similar impact on our competitors.  But that doesn’t help our consumers.”

“There are ways to mitigate our risk, but they’re all expensive,” another executive explains.  ”And for the last decade and the foreseeable future the lower cost of US supply chain management has been our principal economic advantage.  We’re much better than the Europeans, tons more efficient than the Chinese.  Increase supply chain costs and we lose just about the only advantage the US has left on most commodity trading and even a broad range of high-end specialty goods.”

Again from the Wall Street Journal:

Justifying redundancies is one of the toughest aspects of managing a supply chain, because backstopping doesn’t pay off unless there is a disaster. When CFOs ask about the return on such investments, the answer is, “If we’re lucky, absolutely zero return,” says Sean Cumbie, vice president in charge of global supply-chain management at genetics-testing company Qiagen NV, based in Germany.

The new strategy makes a glancing reference to “appropriate redundancy” which, for most supply chain executives, is like discussing the practical difference between manslaughter and murder.   Whatever you call it, the outcome ain’t pretty.

The senior supply chain guys (and a few gals) are the pioneers of the field.  In the last twenty years they have transformed the known world.  Not just the supply chain world, but the everyday world of billions of consumers.  Today the supply chain is faster, cheaper,  delivers much higher quality with much more assurance and transparency than a quarter century ago.

On most days the supply chain is also stronger, more flexible, and better at handling a range of emergencies and disasters.

But what we saw in Northeast Japan and Thailand has exposed a parallel reality.  Like all networked systems, risk tends to pool in unexpected ways and often unexpected places.  What if the earthquake-and-tsunami had hit the economic heartland of Tokyo and Osaka, instead of the Tohoku periphery?  What’s would the outcome be if  instead of Thai flooding it was an earthquake in San Francisco and down the east side of Santa Clara County?  What happens if the Port of Long Beach is seriously disrupted for an extended period?  What if cyber-vandals — or economic or national or terrorist adversaries –seriously target the digital systems on which the modern supply chain absolutely depends?

In a report — “New Models Addressing Supply Chain and Transport Risk” (7 megabyte PDF) —  released Tuesday, the World Economic Forum found:

Supply chain and transport networks have continuously evolved to deliver capacity, speed, efficiency and customer service through organizational trends such as globalization, specialization, volume consolidation and information availability. The focus on cost optimization has highlighted the tension between cost elimination and network robustness – with the removal of traditional buffers such as safety stock and excess capacity. These developments have shifted risk distributions…(while) their effects have often included sharing risk more broadly around the world, reducing high-frequency risks and focusing risk within sectors, common technologies or nodes. Another common feature has been to disassociate risk from responsibility, misaligning incentives and creating moral hazards – the notion that a party that is insulated from risk will behave differently from how it would behave if it had full exposure to risk.

Most supply chain managers I know tend to discount low frequency, high consequence risks (see related post).  They discount this kind of risk because over the last twenty years they have become true masters of risk management.   They also discount high impact risks because their CEO’s, Boards of Directors, and shareholders reward them for squeezing every possible penny out of supply chain costs.  They discount catastrophic risk because their creation — the modern supply chain — has never experienced a fundamental systemic failure.

Yet.

Many supply chain executives have become what economists sometimes call “risk preferers”, they have learned to maximize their return by skating with great style, grace, and confidence along the edge of chaos.   Each day they become more adept at mastering the chaos.   Is the experienced supply chain executive a sorcerer or  sorcerer’s apprentice?

The new National Strategy is the starting point for a collaborative process of discussion, analysis, and policy development.  It seeks to “develop a culture of mutual interest and shared responsibility” across government and the private sector.  It’s the right goal.  It’s the right way to pursue the goal.

It is a very ambitious goal.

Monday the independent panel appointed to investigate the Fukushima nuclear accident released a 507 page interim report.  Most of the document focuses on specific operational decisions and tactical choices.

Several specific failures are highlighted: insufficient planning, poor regulation and oversight, inadequate training and exercising, a breakdown in communications within the government and between the government and the operator of the nuclear power plant.

The previous paragraph could be quickly edited to apply to nearly every serious industrial accident: Bhopal, TMI, Deepwater Horizon, various large-scale blackouts and others.   The same failures are referenced in most after-actions for events large and small.

Also typical has been most of the media coverage focusing on personal failures by political, regulatory and corporate leaders.

But toward the end of the report — and the 22 page English-language executive summary — are several atypical bits of analysis worth much more attention than given so far.

It is not easy to admit an absolute safety never exists and to learn to live with risks.  But it is necessary to make effort toward realizing a society where risk information is shared and people are allowed to make reasonable choices.

A quarter century ago I made some extra Yen editing Japanese-to-English translations.  This time I will mostly leave the first draft as it is. There is a kind of clarity in the slightly awkward but more literal rendering.

Even for an accident of low probabilities so long as extremely large scale damages are anticipated once it occurs… due consideration should be given to the risks involved and precautionary measures should be taken.

It was a major shortcoming for the safety of both nuclear power plants and surrounding communities that a nuclear accident had not been assumed to occur as a complex disaster.  Disaster prevention programs should be formulated by assuming complex disasters, which will be the major point in reviewing nuclear power plant safety for the future.

It cannot be denied that the viewpoint of looking at a whole picture of an accident was not adequately reflected in nuclear disaster prevention programs in the past.

The nuclear disaster prevention program had serious shortfalls. It cannot be excused that nuclear accidents could not be managed because of an extraordinary situation that… exceeded the assumption.

The Investigation Committee is convinced of the need of paradigm shift in the basic principles of disaster prevention programs for such a huge system, which may result in serious damage once it has an accident.

Whatever to plan, design and execute, nothing can be done without setting assumptions. At the same time, however, it must be recognized that things beyond assumptions may take place. The accidents this time present us crucial lessons on how we should be prepared for such incidents beyond assumptions.

Low probability, high consequence events deserve our sustained attention.

Reasonable assumptions will be exceeded.

The chairman of the investigation panel, Yotaro Hatamura, has been especially critical of the tendency to blame the crisis on soteigai. This is often translated as “unforseeable events,” but is probably closer to “unimaginable events.”  (Echoes of a “failure of imagination” in the 911 Commission report.)

Hatamura is an engineer.  His best known work is probably Learning from Design Failures in which he examines more than 100 cases to “uncover the root cause, reveal the scenario that led to the unwanted event, describe what happened so readers can clearly repeat the steps in their mind, and propose ways to avoid those mistakes in the future.”   It is a very detailed, case-by-case, engineering oriented approach to disciplined thinking.  He is a solution-oriented guy.

But Hatamura  has also become an advocate for clearly distinguishing between complexity and non-complexity and what can — and, even more important, cannot — be done to manage complexity.  With a little effort we can foresee complex events.  We have a much more difficult time imagining how our strategy for the complex must differ from our strategy for the merely complicated or novel or known.

The Japanese for complexity (see above) includes kanji a classically minded literalist might read as “a surprising recurrence of miscellaneous elephants.”  If you can imagine how you would manage that, you are on your way to being able to manage the cascade of a complex event.

The final report is expected in June.

In a soon-to-be-published paper a multinational academic team that was in Japan at the time of the earthquake-and-tsunami credits “a handful of trucking/distribution companies” for saving thousands of lives.  ”Without their timely intervention, the situation in Tohoku would have taken the path of Haiti, where the lack of help from the local business class contributed to a crisis of huge proportions.”

Pause over this finding for just a moment: Without action by five or six key players in the supply chain, a major swath of the third largest economy in the world would have “taken the path of Haiti.”

The academic specialists in transportation, urban management, and civil engineering conclude the Japanese firms took the initiative because they “were in a position to know that the private sector supply chains had been severely disrupted, and that that the public sector was not ready to fill the gap.” (my italics)

Based on my own observations, in the first week after the earthquake-and-tsunami the Japanese government was not fully aware of its incapacity to fill the gap.  During the first five to six days, the government’s perimeter control was actually suppressing supply chain resilience.  A first step in restoring essential services to survivors was persuading the government they were incapable of doing so and to get out of the way.

This week Tesco,  the British — but international — grocery opened a new distribution center in Bangkok supplementing two existing DCs that have been impacted by the massive and ongoing floods.  This new site will focus on necessities such as water, instant noodles, and canned fish, importing these and other commodities from Malaysia, Vietnam, China, and elsewhere.   Since the flooding began Tesco has increased its distribution capacity in Thailand by about 40 percent.

Friends in Thailand complain the government’s response to the epic flooding has been totally incompetent.  A Bangkok expat who happened to be Japan during the earthquake-and-tsunami adds, “But the incompetence is so complete the government at least does not get in the way.”

Last week I was in a meeting with a senior officer of a major US food distribution company.   He shared one story after another from the Northridge earthquake, to wildfires in Southern California, to Katrina and more where grocery wholesalers and retailers were ready with product and transport, but were kept away… just as in Japan.

A factoid: the tonnage of food shipped into the typical US metropolitan census area each week exceeds what the US military shipped into Afghanistan during the first year of the war.  The US military’s effort is considered a marvel of modern logistics.  But even the US military does not have the logistics capability to fill the food, pharma, and other essential needs of a major urban area in case of a catastrophe.

Recognizing the challenge there are increasing efforts to facilitate private-public collaboration in advance of a catastrophe.  The FEMA Private Sector Office is hosting meetings, brokering relationships and pushing each state to establish effective public-private partnerships.  So far twenty-two states are in the process of doing so.

Over the last few years several cities (such as Los Angeles)  regions (such as the Bay Area) or states (such as New Jersey) have established Business Operations Centers (BOCs) or Business Emergency Operations Centers (BEOCs) or even Virtual Business Operations Center (VBOCs) to facilitate collaboration during emergencies, disasters, and catastrophes.

In some places a BOC is little more than some business seats in the government’s  Emergency Operations Center.  Several BOCs involve exchanging information and  facilitating resource management. Only a few seem to include common risk assessments, joint training and private-public exercises.

Yesterday (and continuing today) I am at a national conference focusing on the private-public interface in emergencies and establishing BOCs.  Some fly-on-the-wall impressions:

• Lots of good will all around, reflecting a very practical sense of private-public mutual dependence.
• Everyone recognizes that personal trust-building is essential and — given American mobility — not entirely sufficient.
• The common value proposition seems to be information sharing for situational awareness and, if possible, situational analysis.
• Lots of different technological approaches to achieving information sharing, situational awareness, and more.  Reminds me of the online learning market before BlackBoard emerged as the dominant player.  At some point there will be — needs to be — convergence.
• Most innovative, forward-leaning solutions seem to involve some sort of mediator between public and private sectors, such as an educational institution or a not-for-profit operating as host, active party, or actual entity.  This seems to defuse a variety of legal, political, and perhaps command-and-control issues.
• There is an implicit expectation by the public sector involved that when push comes to shove they are in charge.  This is unchallenged by private sector because they know when push comes to shove they will do (or not do) what seems best to them at the time.

In many respects it is amazing this kind of explicit and sustained private-public collaboration is such a recent phenomenon.

A leader of one the BOC’s reported that in his major city the private sector has welcomed the invitation to be involved and quickly taken the initiative to be more involved.

“They seem to think disasters are recurring faster and faster and getting bigger and bad-er.  They are trying to get ahead of the wave,” he explained.

I don’t know how many of you have noticed, but things are getting a bit tense out there. If life inside the Beltway was making you anxious, you might not want to avert your gaze. The view farther afield is not such a pretty sight these days.

With the Tea Party on one hand and the Occupy Wall Street and We Are the 99 percent protestors on the other, a growing proportion of our fellow citizens are actively expressing disgust with the status quo. And this doesn’t even include all the others like No Labels, the Coffee Party Movement and more who in their efforts to re-establish a middle-ground have ended up — often from the comfort of their home computer or smartphone — on or near the edge of a growing disquiet.

This morning I listened in a state somewhere between fury and amazement as Bill Frezza, a venture capitalist and fellow at the Competitive Enterprise Institute, complained bitterly on NPR that those making more than $250,000 a year were being unfairly cast as “whipping boys” for failing to pull the economy out of its tailspin by creating jobs. His full-throated defense of free market capitalism worked about as well as sending the fire department to pour gasoline on a blaze.

If Frezza and his ilk are to be believed, the country has it all wrong: executives are just like entrepreneurs; consumption always precedes production, and employment is an input to a healthy economy not a byproduct of it. And, oh yeah, corporations are citizens too. Of course, Frezza and his friends are the same folks who creatively destroyed not only some of the nation’s biggest corporate brands, but also brought us the savings and loan scandal, the dot.com bubble, and collateralized debt obligations.

After 30 years of vilifying civil servants and public policies aimed at protecting much less expanding the middle class, these economic elites want us to believe that consumers have only themselves and the left-leaning political pawns they elected to blame for the lack of jobs, growth and real competitiveness.

New York Times columnist Thomas L. Friedman and co-author Michael Mandelbaum have another take on this. Their book, That Used to Be Us, contends that four trends underlie our current situation (summary taken from ‘That Used to Be Us’: Tom Friedman’s Rx for America to Get Its Groove Back at Yahoo! Finance):

1. Misreading the end of the Cold War, which was not a military “victory” but the start of a very big challenge to U.S. hegemony.
2. Taking a bad course after 9/11 by focusing on the losers of globalization vs. the winners.
3. Underestimating the impact of technological change which has made the world “hyper-connected.”
4. A generational shift from the “Greatest Generation” who believed in thrift and “sustainable values” to the Baby Boomers who use “situational values” and prefer to ‘borrow and spend’, instead of save.

Friedman and Mandelbaum suggest that the remedy to our current ills lies in what they call the ‘Five Pillars of Success,” outlined as follows:

• Education
• Infrastructure
• Immigration
• Regulation
• Research and development

In all five areas, the government, they argue, plays the key role, not just in jump-starting our economy, but in restoring confidence in our greatness as a nation. They make a compelling case that without competence in these five areas, the nation cannot expect to reclaim much less retain its position as the world’s preeminent power.

About the same time Friedman and Mandelbaum’s book hit the stores last month, James Fallows, national correspondent for The Atlantic, was discussing a damning essay by former GOP Congressional staffer Mike Lofgren and conveying some pretty salient observations himself (see here, here, and here) about the degree of unrest emerging around the country as a consequence of the growing distrust of our political elites.

More than a few commentators have begun to suggest in some subtle and not-so-subtle ways that the Arab Spring could be followed by an American Fall. As homeland security professionals, we might rightly ask ourselves what this means for us. Which side are we on? Do we stand with the state or the citizens?

I don’t know about any of you, but I’m not eager to play the part of the Egyptian Army if Zuccotti Park becomes the new Tahrir Square.

Nick Catrantzos wrote today’s post.  Mr. Catrantzos is an adjunct professor of homeland security and emergency management for the University of Alaska, Fairbanks, and a recently retired security director who, post-9/11 oversaw a $30,000,000 capital investment in security technology, including surveillance cameras, for a large public institution.

———————————–

Specialists see the world in terms of their specialty.

Every time an attorney specializing in litigation or a vendor specializing in camera sales opines about the relative merits or perils of security surveillance, their natural bias competes against respective areas of ignorance to limit the value of their attending pronouncements. Either may have colorful things to say. Both omit points important for a deeper understanding of the issue.

Beginning with the lawyerly lament about too many cameras not only impinging on individual privacy but potentially leading to profligate spending in a time of fiscal constraint, the useful analytical point submerged in this hackneyed observation needs only a little more digging to unearth. The unstated point is that any flawed implementation is likely to waste money and produce unintended consequences undermining its desired benefits. Too much of a good thing can kill, hence the double-edged sword of elemental boons like fire and water, which await only arson or storm surge to turn from life-savers to life-extinguishers.

So, yes, too many cameras multiply the potential for abuse, for someone using them to nefarious purposes, whether in adjusting fields of view to look not at the parking lot where assaults occur at night but at a nearby residence in whose yard a teenager is sunbathing immodestly during the day.

Waste is also likely, particularly if the absence of intelligent oversight means that a security camera vendor receives carte blanche to clear the warehouse of every high-end, pan-tilt-zoom, infrared, weatherized camera in an installation where three quarters of the cameras could have easily been fixed-position devices costing a fraction of the price and requiring significantly less maintenance. The vendor gets a bonus for exceeding sales targets, while the customer gets an impressive quantity of modern devices to demonstrate how serious the end user is about security. Win-win, or lose-lose? More on this soon.

As for Maslow’s hammer…

It comes from what the psychologist and founder of the hierarchy of needs once observed when noting that if one’s only tool is a hammer, one sees every problem as a nail. Rare is the special product vendor who can see or propose any solution other than his or her stock in trade. Thus, to the average security camera vendor, there is no security problem that cannot be solved without the addition of another surveillance camera. By comparison, an average purveyor of guard services tends to do precisely the same, only with services instead of products. Thus, to the latter, every security problem is just another guard assignment away from being solved. Each provider is selling only a hammer, therefore each sees the security problem only as a nail.

What is the real solution to this institutionalized myopia borne either of over specialization or limited range of implements in one’s tool chest?

The answer is the kind of infusion of mind into the swirl of events that requires a seasoned managerial or security perspective, and preferably both.

What do seasoned professionals do when facing security surveillance as a management issue? They begin with objectives, focus on the results their organizations need to achieve, and defend against scope creep or one-off distractions that enfeeble the chances of attaining identified objectives. This approach, incidentally, applies equally to technology implementations unrelated to security. Why? Because champions of new systems invariably oversell and continue to offer product and service extensions, often with little regard for whether their initial offerings have satisfied original criteria.

If your security camera implementation has done nothing to limit parking lot assaults, for example, the vendor may well propose adding more cameras to more places, including hidden cameras outside of reception areas and extra ones at entrances and exits. Similarly, if your guard force contractor has failed to deliver on advertised loss reductions, he or she may suggest more guard posts and patrols, and even using uniformed guards as lobby ambassadors in reception areas.

See more nails? Get more hammers.

Here is why this cycle of repetitive failures turns into a lose-lose situation.

Both provider and beneficiary have lost sight of original objectives and, quite often, neither had thought these objectives through in the first place.

What needs to happen instead?

Begin by deciding the larger objective.

Are the security cameras intended to prevent loss or to apprehend adversaries after the fact? A serious answer to this question guides the entire scope and investment of the surveillance camera implementation effort, and it is only a fool who will ask the hammer seller for a tool selection that also includes screwdrivers, pliers, and saws. Of course the vendor will offer to do it all. Turn on the blue light; the man wants a blue suit. But the reality is that attempts to do it all invariably end up diffusing effort, overextending systems, budgets, and schedules, and delivering flawed implementations, resulting in strained customer-provider relations. You can do one thing well or all things badly. What does your organization need?

Assume your organization is more interested in prevention than apprehension.

This is the private sector security model as contrasted with the public safety model. The latter has a societal objective of chasing down offenders to capture and punish them and, by doing so, demonstrate to society at large that crime does not pay.

[Incidentally, this public safety bias limits the ability of most police to operate surveillance cameras solely for prevention. Their invariable tendency is to use them more for investigation. Also, because they hired on to chase malefactors, watching cameras or defending assets are unattractive to cops in their prime.]

In the context of running a business or even a public institution, however, few organizations can afford the resources for this hunt. Instead, their security functions earn their keep by preventing losses – which cost significantly less in time and staffing than trying to shadow the responsibilities of a police force without the same powers of arrest or investigation.

How does this assumption affect security camera implementation?

First and foremost, if you are interested mainly in prevention, then you optimize your surveillance system for intrusion detection, period. This means that you place cameras along perimeters and entry points, and reduce to an absolute minimum the impulse to stockpile data unrelated to intrusion. This means you do not warehouse video images for months or years at a time because they may come in handy in some event reconstruction or one-off investigation into something at some point in time. Someone in the organization will always make the case that such capabilities are nice to have. But that someone will be an individual or department that has no idea of or responsibility for the burden of keeping such data, in terms of staff hours and capital investment. Absent a regulatory [or other] requirement that compels you to do otherwise, you must decide whether you are in the prevention business or in the monitoring-to-help-everyone-else-out business.

If in the first, you overwrite your video files at the first logical opportunity – perhaps a week or two – and keep only what you flag for retention – perhaps within a few days of a loss or suspicious incident. This protocol puts you squarely in the prevention business rather than in the internal snooping business. It limits the audit trails that institutionalized snooping occasionally seeks, however. This means that the supervisor too inept to monitor or discipline an underperforming employee will not be able to look to your surveillance system to say, “Aha, Harry isn’t showing up on time and is always leaving early on days when I have to go out of the office.”

What will such supervisors have to do if the surveillance system is unavailable to supply evidence to back disciplinary action? They will have to do the same thing they had to do in the days before such a system was around: supervise. Indeed, an employee relations manager told me that any time a supervisor wants to rely on security audit trails to catch an employee in some kind of routine performance deficiency, this proclivity signals a lack of supervision.

It is no surprise that specialists seeing the world in terms of their specialty offer up flawed solutions, without necessarily doing so in bad faith.

They have hammers, so they see nails.

The finesse in vaulting over this common hurdle, when it comes to security surveillance cameras, is in looking past the myopic vision of the hammer sellers to understand the bigger picture. Although it is rare to find this capacity in specialists, it is not entirely absent.

I have worked with the occasional security systems vendor – usually a seasoned one who is secure in tenure and sufficiently senior in the organization to be insulated from sales quotas – who can and will advise against more cameras than anyone can usefully monitor. Such advice benefits the client and serves the enlightened self-interest of the provider.

Every customer appreciates a hammer seller with the nerve to refuse to sell you another mallet when you clearly need a screwdriver.