Monday, August 1, 2016

Can the center hold?

The world just seems to get more unstable every day. Here's the opening of my column for The Risk Universe magazine this month:

  “Turning and turning in the widening gyre
    The falcon cannot hear the falconer;
    Things fall apart; the centre cannot hold;”

             William Butler Yeats, “The Second Coming” (1919)

"These first three lines of a poem that Yeats wrote after the first world war resonate with us today, and have been referenced in American political debate – and perhaps also around the Brexit vote as well.  Going it alone or going it together with other countries appears at least to be the question as discord and violence present themselves more regularly, in no small part because of the technology now available to us."

The level of political discourse has never been more base; and the level of trust for either U.S. political candidate seems to be at an all time low.

Some of us fancy we know that we are at a critical turning point in our history.  Others seem so filled with irritation and rage at the current environment that they cannot see the shape of things unfolding.

I plan to continue not to use the current election as fodder for risk-based speculations.  But I will continue to speak out when employee safety and situational awareness issues are at stake.

Wednesday, June 15, 2016

Thoughts on Domestic Terrorism

Eiffel Tower, Paris, France
City Hall, Brussels, Belgium

In our American history, only twice before have so many citizens been murdered at a single time -- first, at Wounded Knee, where 150-300 Native Americans were gunned down by the U.S. Army; and then of course on 9/11, when even more of our fellow citizens were killed by terrorists recruited to Al-Qaeda.  This is not to say that there have not been other episodes of domestic terrorism since 2001.  Since early 2015 alone, we’ve witnessed such acts in Charleston, Chattanooga, Merced, Colorado Springs, San Bernardino, Philadelphia and Columbus.  

I had a remarkable briefing on terrorism last week, before the Orlando nightclub murders took place.   Since then, as a more detailed picture of the terrorist is painted, I marvel at how closely the profile as described of a domestic terrorist align.

Photo courtesy CNN.
Research indicates that the average age of what are primarily young men is in the 20s.  The terrorist is usually already known by law enforcement; and has often tried to join either the military or a police department.  Most are converts to Islam, a conversion made easier by ISIS' presentations on the web and the graphic violence embedded in them.

Though there are subtle differences with this terrorist, in that he was a Muslim and apparently attracted to others of the same sex -- grounds in Mideastern countries for death by stoning, being dropped from a great height, or beheading -- there are enough similarities to see how sophisticated ISIS has become at appealing to alienated, ostracized and perhaps bullied, lone wolves.

At this time, we have no civil society mechanism to identify in advance and take care of such individuals in something like a diversionary program.  It is well worth thinking about what such a program would include if we could identify them before they caused such enormous damage to our society -- not just to the families and friends, but to our anxiety levels as well.  It is worthwhile for members of the community to come forward to identify dangerous citizens before they act -- this is evidently one of the hardest communications for law enforcement whether working with, say, a militia group, or a religious group.  We still have strong familial and community  loyalties and notions of "tattle tale" that get in our way, no matter how Americanized we have become.

It is inappropriate to blame the FBI for having investigated but released the murderer for lack of "reasonable cause."   In fact, as I have just explained to a good friend from France, it is that very definition of reasonable cause that protects all of us from unreasonable encroachments by law enforcement.

I won't spend a lot of time here on the topic of gun control, except to note that it is time for Congress to stand up to the NRA and pass legislation that prohibits the sale of assault weapons, to authorize background checks and forbids sales of weapons to those on the U.S. watch list.

My heart goes out to the LGBT community, the direct target of these and other such acts of late.  Just a year ago, the community won a legal battle to marry.  To have such violence and hatred spewed in this particular way, in a club that was considered a safe space, is especially wrenching.  We are better than this.

Please practice situational awareness as you go about your life, especially in public places.

Thursday, May 12, 2016

How far can finger-pointing and bad-mouthing take you?

Catholics are taught at an early age that someone is always watching you.  As a child, I didn't think of this as surveillance (not a term that the Baltimore Catechism is familiar with), but rather as being benignly supported in my efforts to be a good person.

On the irreligious side, I learned early about being a good citizen and helping others -- to "put myself in their shoes," as my mother would say.  This behavior seemed to square up with my heroes, Nancy Drew the Hardy Brothers, and with the principles taught by the Brownies and (later) Girl Scouts.
I had no sense of limitations or boundaries growing up.  I was there to grow into myself.

I've tried hard in my career to explain to colleagues and to shadowers that 1) honesty is the best policy because it's most efficient; 2) that "Every wall is a door" (Ralph Waldo Emerson); 3) that harboring resentments or engaging in finger-pointing hurts you most of all because it sucks your attention and focus into proving your hypothesis; and 4) that there is always something to learn from another, especially if you can put yourself in her/his shoes.

There's not enough time left on my runway to spend my energy negatively.  Observing the current state of politics is enough of a time sucker.  I'll spend my time working to change the world, one project (or one class) at a time.

Tuesday, April 26, 2016

Us vs the Europeans

The European Union definition of personal information and of privacy is so much more restrictive than ours that it should come as no surprise that the Europeans are not as interested in using massive data suction tools to find terrorists as this government is.

I wish I could say that any of the presidential candidates understood the issues around privacy, in particular digital privacy, but I'm afraid we are going to have to leave that to the Supreme Court.

The FBI director says he was greatly misunderstood, that he's simply interested in being able to read "clear text."  Meanwhile, we learn that there was nothing of interest on the work phone in San Bernardino that caused the FBI to take Apple to court to break the device's encryption and to create software most of us in the business call a "back door."  The FBI however is still hopeful that they might be able to figure out what the terrorists did in time not yet accounted for by checking out their GPS data.  (If they were smart enough to use burner phones, they would have been smart enough to turn off "Location Services," thus turn off GPS.)

I am looking for a leader, perhaps a former government official, to become the clear spokesperson for privacy and in particular for digital privacy.  I don't think that Tim Cook can do this and run his business at the same time.  We need a private sector leader to explain clearly to the American public what is at stake in these skirmishes. 

Thursday, April 14, 2016

A reasonable expectation of privacy.

I'm in my office before class, having started my morning with a New York University-hosted forum on the Zika virus, which actually will be up for discussion in class this afternoon. About an hour after that forum concluded, Microsoft announced that it was suing the U.S. Department of Justice, "challenging as unconstitutional the government’s authority to bar tech companies from telling customers when their data has been examined by federal agents." (Wall Street Journal)  

Now, class prep completed, I'm listening to an address that FBI director James Comey gave at Kenyon College's "Expectation of Privacy" conference.  He is of course arguing that there needs to be a way Hinto encrypted systems, with many examples being tossed out, usually about terrorists or kidnappers or murderers.  He rejects absolutely the "slippery slope" argument. He asks for a substantive thoughtful conversations of security and liberty.  He ignores the issue of the back door becoming accessible to the criminals, nation states or terrorists.

The late Antonin Scalia argued some time ago that "There is nothing new in the realization that the Constitution sometimes insulates the criminality of a few in order to protect the privacy of us all."
Let's hope that the Congress can remember this, divided as it is, as one or more anti-encryption bills go forward.

I admire Director Comey enormously, including his references to FBI agent training he has instituted via a visit to the Holocaust Museum, and the order from Bobby Kennedy to wiretap Dr. Martin Luther King Jr.'s phones.  I think, though, here you will find the other side of the article missing -- the side that makes the "slippery slope" argument, that believes that source code is protected speech, and that resists creating a tool that the government asks for, one that breaks its own product.

He is right, we have never been closer to a condition of complete privacy with the advent of encryption. May I also point out that the question and answer session that follows his talk is well worth listening to.  He is a good teacher.

Thursday, March 31, 2016

Rehearsing Before Class...

So much about risk management needs to be re-emphasized on the first day of class.  To paraphrase the key points about risk in a new risk guidebook that I've been involved with:
  • Risks are not always negative.
  • If you manage risk, you are managing performance.
  • Managing risks is about managing opportunities.
I've got 13 students registered for this advanced course that looks at whether or not risk is handled differently in the public sector than in the private sector.  Add to this first class an additional seven visitors, who will be entering the MSIM program next fall.

I'm incorporating feedback I received from my winter risk course evaluation.  We'll still have eight guest speakers in the first hour, but then I'm going to take the next hour or so to engage more in a discussion than a lecture, including scenarios that will allow the students to practice the art of risk assessment before they actually have to present at the end of each week. This quarter's guest speakers are superb:

  • Lucianne Phillips, FEMA Regional Private Sector Liaison
  • Mike Hamilton, CEO of Critical Informatics, former City of Seattle CISO
  • Michele Turner, Sr. Compliance Mgr, Microsoft Universal Store
  • Al Wilson, Director of Business Continuity, BECU
  • Todd Mack, Deloitte Tech Risk, Risk and Resilience Director
  • Mike Howard, Microsoft Chief Security Officer
  • Mary Gardner, Information Security Officer, FredHutch
  • Aaron Weller, Director of Cybersecurity and Privacy, PwC 

Off I go....

Monday, March 28, 2016

"Education is not the filling of a pail, but the lighting of a fire." -- William Butler Yeats

Cherry Trees Outside Suzzallo Library, across from Gerberding Hall, University of Washington
 I've had a bit of a spring break.  I spent four days in New York City, speaking at a risk conference and in meetings around future publications and conferences.  I managed to complete annual checkups with my doctors, set up a new trainer who starts this week, and have a lovely day with my sister at the Museum of Modern Art and the Manhattan St. Patrick's Day parade.  That's a lot to accomplish in two weeks, especially when I was grading final papers as well.

Classes for spring quarter begin this week.  I'm teaching on Thursday evenings and managing the Master of Science in Information Management (MSIM) internship program.  Additionally, I've got deadlines on another article for The Risk Universe, final comments on a risk guide for state transportation departments, funded by the National Transportation Board, and the outline of a chapter on conduct risk to be written for a new book on that topic in the Risk Books series from England.

So the fire is lit in me, to be passed on  to my students this quarter.  I have never done just one thing at a time.  The possibilities seem endless.