Tag Archive | Security

The Intention Heuristic Lurking in Iraq

Terrible, worrying news out of Iraq today as the jihadist rebels who have previously been confined to Eastern Syria have spilled over the border and are advancing south through Iraq with lightning speed.  Rather than stand and fight, the poorly organized Iraqi forces are fleeing without firing a shot.  Naturally, there is some concern about this in the halls of American foreign policy, and the usual actors are taking the opportunity to cast blame – the right on Obama’s weakness and his withdrawal from Iraq, and the left on Bush’s invasion in the first place, as well as the tinpot dictator he left in charge.  Beyond casting doubt, people are looking for some way that America can stop this – mostly not through re-invading, but perhaps some judicious application of airstrikes to hinder the insurgents.  After all, we created this paralyzed government and feckless army, surely this is at least partly our responsibility.

This is perhaps the perfect example of what libertarians call the “intention heuristic” – that the best thing to do is that which most makes you feel you are doing something to help.  The intention heuristic critique is central to the more sophisticated conservative critiques of the welfare state – that voters don’t actually care about what is best for the poor, but want to “do something”.  This is a natural human impulse, and what makes the phrase “you broke it, you bought it” seem initially so compelling when applied to situations like Iraq.  It should be consciously acknowledged, and resisted when possible.

The unfortunate truth is that the consequences of American intervention in the Muslim world have proven extremely difficult to predict, and it’s not at all clear that they are positive.  Afghanistan remains in an endless war, the security situation in Iraq has been deteriorating for at least a year, and Libya is hardly well-off.  There’s little reason to believe that American intervention in the looming Iraqi civil war would go smoothly or have unambiguously positive effects.  It’s probably wiser to leave this fight to others.  Iran, for one – their forces are already on the ground.  They are much more motivated to defend their client in Baghdad than we are.

Although I do wonder whether it would benefit nuclear talks to have American drones providing close air support to the Revolutionary Guard…these are strange times.

Cyberwarfare and Public Accountability

One of the reasons that American presidents go to war – not a good reason, mind you – is known as the “Rally Around the Flag” effect.  When America gets involved in an armed conflict, whether as defender or aggressor, the president becomes more popular and more highly-approved, and often the conflict itself is accompanied by a burst of legislation unrelated to the war.  There’s a lot of debate over precisely how strong the effect is and what drives it, but the existence of the effect itself is one of the best-known findings of political science.

This could be relevant for the decision to embrace cyberwarfare.  Today the NYT reveals that the Obama adminstration was deeply divided over the question of whether to use cyberweapons to attack the Syrian government.  The NYT reveals the deep discussion over the strategic benefits and risks – but one that does not appear there is the potential effect on American public opinion.  Cyberwarfare is still visible to affected foreign players (and possibly friendly/neutral ones too) and America is strategically accountable for its actions in this sphere, but it can be plausibly denied in a way that bombers and paratroopers can’t.  If Obama had decided to go forward with attacks on Syria, he would have had to deal with the fallout from Syria and Russia, but it likely would have remained secret until the next Edward Snowden leaked it.

If cyberwarfare is normalized, more acts of national aggression will take place out of the public eye.  As a positive question – a question of facts – public opinion is a significant constraint on executive action.  As a normative question, people differ a lot on whether this constraint is a good or bad thing.  Perhaps the people stop wise Presidents from taking the actions necessary to protect the country; perhaps the people’s reluctance to go to war stops foolhardy Presidents from making dangerous leaps into conflict.

The growth of cyberwarfare will be a neat and potentially worrying test of who is right.

Contractors (Not) Vetting Contractors

A less cynical person might be surprised.  But as it turns out, something is rotten in the state of Securitystan.  In order to work for a sensitive government department, a person needs a background check and to be cleared.  This is how we make sure that no one is about to go Edward Snowden on America’s national secrets.  Now, this is a lot of effort.  As a part of the government’s general commitment to outsourcing whatever it can’t cut, it has left this duty to the care of private firms.  They are paid for every single person they clear.

The incentives are pretty clear, and the private sector has responded.  USIS, one of the largest security clearance contractors, may have fallen down on the job of performing clearance checks.  “Fallen down on the job” doesn’t really cut it.  They didn’t cut corners, or maybe let a few people slip through.  No, they were rubber-stamping applications so fast they needed special software to mark an application as “approved” the minute they came in the door.

Initially, USIS would dump cases manually. Soon after the dumping started, however, USIS began using a software program called Blue Zone to assist in the dumping practices. Through Blue Zone, USIS was able to identify a large number of background investigations, quickly make an electronic “Review Complete” notation indicating that the ROIs at issue had gone through the review process even if they had not, and then automatically release all of those ROIs to OPM with the “Review Complete” notation attached. By using Blue Zone, USIS was able to substantially increase the number of background investigations that could be dumped in a short time period.

Perhaps the private sector isn’t the answer here.  It doesn’t take an economic genius to know that paying per-head fees encourages faster throughput.  And if the government has outsourced most of its capacity to actually do background checks that just makes it harder to audit the contractors.  It’s an excellent combination for some good old-fashioned fraud.

The federal experiment in contracting has had a good long run, but it sure seems the pendulum has swung too far.  When contractors are responsible for huge parts of our national security infrastructure with little to no oversight, the United States is just asking for more Snowden-type incidents.  It seems almost as if the whole affair – this USIS fiasco included – is just designed to swing the pendulum back towards the government doing more in-house.  As USIS shows, the reason to do so goes far beyond just cost.

Of Panzers and Excel

The ongoing debate over the sequester has gotten me thinking of software design.  Some in the United States military have argued that the next war we need to prepare for is a small war in the Middle East, others a massive naval conflict with China.  Failing to prepare for either would be disastrous, and so our military budget must forever expand as we prepare for both.  Given the perceived threat environment, I can understand why the Pentagon is yelping so much at some relatively mild trims to their planned budgets.  Yes, the sequester cuts are poorly planned and will incur financial/operational costs in terms of sudden contract disruptions – but the real reason the Pentagon is complaining is that they want this money in order to prepare for both these threat environments.  Plus Iran, and rapid humanitarian deployments, and pirates off Somalia, and God knows what else.

Here’s a provocative counterargument for the Pentagon – stop trying to plan for the next war, because we know you’ll get it wrong.  That’s okay – you’re only human.  Everyone always gets the plan for the next war wrong.  That doesn’t mean you have to stop running simulations and wargames – though sorry, our enemies will always come up with something we didn’t think of.  Again – they always do.  But stop trying to plan for the next war or any war because preparing for everything is impossible.  Instead of preparing for everything, prepare for anything.

Preparing for anything means a priority on building a flexible infrastructure for response.   The US’s greatest military challenges have been the Civil War and World War II, and we triumphed in both because we had the material and human infrastructure to develop appropriate responses to the threat environment and scale the responses really big, really quickly.  It’s hard to know what exactly that means in the modern context – that’s the real utility of running those wargames, in the hopes that across all the scenarios some common patterns start to emerge.  We’ll get it wrong, as we always do.  But by prioritizing flexibility over optimization we’re less likely to be disastrously wrong.

A parable from World War II – the T-34 versus the Tiger tank.  The Tiger was a massive piece of wonderful German engineering: the most armor, the most powerful engine, the most destructive main gun.  The T-34 was much smaller, and in a confrontation the Tiger would win every time.  Not even 1-on-1 – there are documented engagements where a single Tiger would wipe out 20+ T-34s without taking a scratch.  Within the engagement, the Tiger was the unquestioned superior solution.  Yet the Tiger never made a dent in the course of the larger war, and the T-34 is regarded as the highest achievement in tank design in the history of warfare.  Why?

A T-34

The T-34 was spectacularly well-suited to the actual problem at hand, whereas the Tiger was incredibly poorly suited.  The powerful engine of the Tiger was precision-made by hand, limiting production speed and capacity enormously.  It was also unreliable – and since there were so few Tigers and parts were handmade, parts were pretty darn scarce too. The T-34’s engine wasn’t built for raw power, it was built for reliability. Oh, and it was “precision-engineered” too – Soviet engineers worked tirelessly in order to reduce the number of parts and decrease the precision of machining required.  In the tough conditions of a Russian winter guess which one was the dominant approach?  Speaking of, there weren’t much in the way of roads out there.  Well, having the best damn tank in the world doesn’t do you any good when it’s so heavy it sinks instantly in soft ground and breaks 90% of the bridges out there.  The Germans built for the dominant solution, and the Russians built for the one useful in the most contexts.

A metaphor, stuck in some mud.

I’m speaking in software terms here because they’re extremely relevant.  We’ve all encountered the over-engineered solution many times.  For any given mathematical task there are many solutions that provide the dominant solution for the problem you want to tackle right now.  But if you asked everyone who uses numbers in their work the one program they couldn’t live without, it’s Microsoft Excel.  Imagine a map of America where Excel sits in the middle of Kansas and your desired use case may sit anywhere on the map.  Other solutions may be closer to your particular use case, but Excel has the shortest average distance to the destination.

This is just a long-ass way of saying that when the military tries to simultaneously prepare for a war in China with fancy stealth fighters and a war in the Middle East with COIN tactics, it basically guarantees building itself a Tiger.  Procurement budgets with unlimited money want to look for the dominant solution to every single use case, and build themselves the ultimate versatile toolbox with a million purpose-built tools.  To mix terms from two worlds, we don’t get to define our own use case – the enemy does.  If we assume that we’ll be wrong about the use cases that we face, it shows us that the “build many Tigers” approach doesn’t guarantee failure, but it guarantees a lot of wasted money and a strong possibility of failure.

Not all is lost, however – there is one way to guarantee we’ll be less wrong, which is to lessen the universe of potential use cases.  The relevant area here is political, not technological – the more America tries to do all things in all places, the larger the universe of things we can screw up in our preparation and the more wildly wrong we can be.

First they came for the locksmiths…

I got locked out of my apartment this last weekend, and I must say it’s been a long long time since I’ve had a customer experience so terrible.  When you are calling a locksmith, it’s generally after the shit has pretty much already hit the fan – you’re desperate, you are probably without cash, and you are totally captive.  Especially if it is an inconvenient time, and isn’t it always, your ability to comparison-shop is extremely limited.  And you have exactly no choice in the matter.

This is exactly the type of customer experience that “disruptors” love to talk about, but it’s not at all clear what the easiest way to do this is.  It’s a problem that relies on individual skilled labor by the locksmith in situ, at any time at any location.  While the second part of that is something that is a pretty solvable problem, “in situ individual physical skilled labor” is pretty much the definition of something that is terribly-suited to be solved with software or hardware.  You know, the opposite of scalable.  Which is why locksmithing isn’t a big business despite the extortionary 3-digit price I was charged.

Here’s my suggestion – you’re not actually paying for the service here, you’re paying for a key that will fit the lock.  Unfortunately, the best way that we’ve had of creating that key up until today was in situ individual physical skilled labor.  But this is exactly the type of problem that I would suggest is solvable with 3D printing – the right shape at the right time. Once we can figure out the right hardware, software and operational infrastructure to put around the technology, the locksmith is a dead profession and we’ll all be better off.

Other than locksmiths, of course – but in case you can’t tell I don’t think too highly of their line of work.