As the traditional military and law enforcement minds confront the threats of information terrorism, the most likely reaction will be to call for more procedures, better technologies, more exhaustive checklists, tighter specifications, regulations, laws and budget increases.
Somehow this reminds me of how the Maginot Line was built. The thickness of the concrete and the configuration of the steel reinforcement were specified in exquisite detail. The defenders were sealed behind heavy steel doors that met the best banking vault requirements.
It also reminds me of the Baldrige Prize.
The Department of Commerce has assembled the most comprehensive catalogue of what experts believe to be prescriptions for excellence. It is the check-list to qualify for the Malcolm Baldrige National Quality Award, instituted by Congress in 1987 and administered by the Department of Commerce at a cost of $3.4 million per year. Applying for the Baldrige involves an elaborate process. Specially appointed examiners assign prescribed ratings to hundreds of acts before they can agree that an organization has earned the nomination.
From 1988 through 1995 there were 23 Baldrige Award recipients. Ten organizations are privately held or have been merged so that financial data are not available. One of these firms, Wallace Co., won the Baldrige in 1990, only to file two years afterwards for bankruptcy protection as the expense for keeping up their meritorious habits soared.
Of the remaining thirteen, only two show a positive Economic Value-Added for the seven year period from 1988 through 1994. The Solectron Corporation and Corning, Inc. added $134 million to the U.S. economy. Eleven of the winning firms such as Armstrong World Industries, Motorola, Eastman Chemical, Xerox, Federal Express, Texas Instruments, Westinghouse, General Motors and IBM, all show negative Economic Value-Added and detracted a total of $100,678 million from the U.S. economy.
Implications for the Information Defenses
There is a mentality that will always invest enormous efforts in coming up with lists of the best generic policies how to protect our institutions. These are admirable endeavors, which are comparable to an encyclopedia of every conceivable idea that someone thinks as having merit.
However, following every one of such prescriptions will not guarantee security, because implementing all of the good ideas will be neither feasible nor affordable. Specifying, in sublime detail, operating practices - such as escrow keys and mandatory encryption algorithms - so that they can be checked off against government policies and directives is futile and most likely counterproductive. The government would make a far better contribution by working on a framework and process how organizations can specify the desired levels of security assurance and how management can then establish what levels of security assurance are worthwhile. Only after that is done would commercial organizaitons be in a position to look up the catalogue of technological fixes and great ideas to find which ones will fit reality of specific situations, such as in banking, electric power distribution, telephony, etc. Only after industry groups in negotiating protection practices which they cannot manageon their own. The cops are called by banks only after the bank's own protective measures have failed.
Otherwise, along the precedents set by the builders of the Maginot line, we will pour lots of "quality concrete" into holes that our adversaries will simply overlook as irrelevant.
Reproduced by permission from Paul A. Strassmann