PNSR: Knowledge Management and the Market Dynamics of U.S. National Security
Jan 31
The following is a “revised and extended” version of my remarks at the PNSR Futures Conference this week in Washington D.C. (PNSR = Project on National Security Reform.)
FINDING: The national security system is not organization, nor even a system of shared purpose. My observations lead me to believe it is better described as an ad hoc consortia of competing interests.
Assessing knowledge flow across this “system,” therefore, is akin to understanding the flow of capital across and within financial markets. Yes, I am jumping on the coattails of current headlines. Suddenly, people who never considered derivatives trading are telling each other “credit is frozen,” and “the markets lack trust.” Suddenly, it’s a bit easier to discuss knowledge management via analog to financial markets and capital flow.
Common between these two worlds:
- issues of trust,
- expectations of reciprocity,
- primacy of individual cultures,
- expected rewards,
- hidden agendas,
- local authorities preferred when confronted with cross-organizational mission,
- etc.
For the Project on National Security Reform (PNSR) we used systems analysis – with an emphasis on complex systems – to understand the challenges and ideas for reform. This an augmentation to the study’s original reliance on organizational analysis, which can be normative regarding expected roles and functions. If you approach a non-organization using an organizational lens, you will likely end at recommendations that speak of “headquarters staff size” or “unity of purpose.”
Some of these organizational observations will be useful – the human capital team’s recommendation of a common approach to the national security workforce comes to mind. But the use of an organizational lens alone will fall short of understanding how to employ leadership and management techniques best suited to a complex adaptive system of functionally-oriented public agencies.
Therefore, while we present KM problems and recommendations in the PNSR report, it is essential to understand that – because of the market, or systems nature of the problem – fixing the KM problems requires a concomitant focus on human capital, process, development of a grand strategy, placing mission instead of functional resourcing, etc.
(I’ve written of the problems and recommendations before, but wanted to place them in context one last time before moving on with my life.)
Without a systemic approach to reform, these KM recommendations alone will not solve the basic problem of helping the national security system know what it knows.
Knowledge management problems
- Sharing knowledge across organizational boundaries remains difficult. Agency cultures still discourage information sharing, although this is changing at the “point of the spear.” Interoperability across classified networks is difficult, to say the least. Even when we can communicate, we lack a shared lexicon across national security interests – try having a conversation with someone who has spent at least 3 years working at DoD or State. (Or Morgan Stanley.)
- Organizational learning is thwarted. Not only does the new team find empty safes when they arrive, but there is a tendency (this last transition being an exception) among many new incoming national security teams to believe: “If these guys knew what they were doing, we wouldn’t be here. What could we possibly learn from them?”
- The national security system lacks true global situation awareness. A few cognitive truths here: We don’t know our own biases. We don’t fully understand how we make decisions. Add to this the orientation of the functional organization, each interpreting new information within a group filter. Now add stress, uncertainty, and you have a system where the only time a “common operating picture” is available is in the White House (or on Capitol Hill). Lower in the ranks, it is extremely difficult to comprehend the global situation as it is unfolding.
- Current data systems do not provide or are not employed in a manner that promotes optimal knowledge sharing. The state of public sector computing, while improving in some ways, remains abysmal. Program funding solidifies the primacy of functional coherence over whole-of-government understanding. Information systems still lack common data abstraction, business logic, and protocols. And, thanks to our friends the technology vendors, government clients come to believe that buying “a portal” or “collaboration technology” solves this problem. “We have collaboration – other agencies can come share their information on our portal!” “My agency has an enterprise license for Search. Now everyone can find the information they need!”
Recommendations
- Provide Institutional Memory Through NSC Librarian /Historian. The National Security Council needs a library function to help it understand decisions across Administrations. The Chairman, Joint Chiefs of Staff has an appointed term that crosses Administrations to provide continuity, let’s learn from this example.
- Establish Office of Decision Support on National Security Council. Charter for this office is open to discussion, let them first tackle common security clearances – as the current efforts here lack inter-Agency authorities. (Waivers are taking all the teeth – or at least the incisors – out of these efforts.)
- Establish Agency Chief Knowledge Officers and associated Council. The cadre of Federal CIOs are incentivized to provide secure, reliable, performing systems. In other words, CIOs would maximize their bonus if all their ‘users’ died or otherwise stopped trying to use the systems. Perhaps it is time to focus on the knowledge their users need to do their job.
- Establish a ‘Federal Information Services Agency.’ Stop talking and move to the cloud. Get commodity IT services coordinated, get data servers out of downtown Washington, establish compatible GALs, stand up FISA to own the janitor and plumber functions of IT.
- Subordinate Information Security Functions to Operations. If you have had the delightful experience of deploying systems on a protected network, doubtless you have had to pass (multiple) security audits. Have you ever heard of a security person filing an “operational impact statement” before locking down a firewall rule, closing off access to YouTube, or taking away flash drives? It’s time the security professionals worked for someone – the current system places them in charge, and their decisions are unreviewable by the workforce. We need to manage, not mindlessly work to reduce, risk.
And finally, in his Senate testimony (response to Q&A), ADM Blair – who was confirmed this week as the new Director for National Intelligence, pointed to these last two as essential reforms he plans to tackle immediately. While efforts are underway, our recommendations involve removing the waivers inherent in the current executive orders and authorizing legislation.
- Establish Unified Security Classification Regime
- Establish Unified National Security Clearances
This will be ‘rambly’, because it is Saturday (Valentine’s Day) and I get to work all day, so not lots of time to ponder today.
This is exactly why I use the term ‘co-writing’…we must get away from viewing security as an absolute…either a 1 or a 0…security is all about risk management, and the enterprise needs to come to an understanding of what is ‘acceptable risk’ for them…do they understand the risks involved in using personal thumb drives? Are they willing to accept that risk?
Ultimately, it isn’t the decision of the security group – their job is to ensure that the risks are understood, then help implement security controls to manage the risks to the level determined by management. If a breach occurs, seems like more often than not the security group is pointed out as deficient, when frequently it is the management decision to accept a risk that is the real culprit. So, since security groups feel like they’ll be the sacrificial lemming, they try to ‘over-implement’ security as an approach to CYA.
Sometimes I want to scream “can’t we all just get along?” when it comes to enterprise IA. Instead of always falling into an ‘either/or’ view, we’d get much better security results if we cooperated, communicated, and managed the risks appropriately.
When looking at any external set of controls, we run into the same tension…sure, a project can be successful without any PMBOK/PMP practices, software can be developed outside of any SDLC or CMMi, or Agile processes (I know, I’m freely mixing and matching), but many folks agree that bringing in these external processes help provide more predictable results with higher quality.
Kinda the same thing with security…certainly, we might have confidentiality, integrity, and availability if we play fast and loose, but when someone’s home thumb drive (with an inadvertent virus provided by their kids) brings down the network, will the National Lab workers be doing any more work than they’re doing with all the security rules in place?
Carl,
My problem lies in this idea of “co-writing policy.” Operations and Security are not peers – our focus is to get a job done, not just protection. I spoke with someone from a National Lab recently who said her office put up a sign: “Work-Free Safe Zone.” The security lock-downs are simply out of control as practiced and hurting the mission.
While I understand the importance of “external” audits, this leaves open the question: who decides? The fact is that the mission is fluid, and hard rules do not help us adapt to evolving challenges. There may be times when the mission will accept more risk than other times. If we agree that this is one key to agility, how does “co-writing” policy or security-as-IG help us get there?
“Subordinate Information Security Functions to Operations” – If what you mean is to have the ‘hands on’ done by Operations, with a separate security organization co-writing policy and providing audit functions, then I agree wholeheartedly. If you mean to have Operations encompass all security functions, then (among other problems) you lose separation of duties, leading to disaster…it really IS important to not have an organization audit its own security work.
Ideally, the security professionals don’t work for the CIO…imho, an enterprise needs the tension between the CIO looking for new and better ways to provide access and the CISO looking for new and better ways to provide security.
John,
Great blog! I like your analogy to financial markets. Anther common theme across the two: the primacy of information! Financial markets live and die on information. Same is true of the national security system. Along the same lines, both can be modeled quantitatively, but are ultimately driven by psychology and are thus irrational. You wanna write a paper on this?