Category Archives: Public Policy

voting machines, cybersecurity, Iowa caucusses

Iowa caucuses and the Shadow app: A lesson in critical infrastructure

On Monday 3 February 2020, Iowans caucused at almost 1700 precincts across the state to select their preferences among presidential candidates.  Three days after the Iowa caucuses, the final tallies for the Democratic presidential candidates remained incomplete.  The popular press blames a technical glitch in the Shadow app, but accountability resides with party leaders and the Shadow app executives who allowed technology that had not been previously fielded nor fully tested to be deployed as critical infrastructure.

Continue reading

Gatwick: attack of the drones

Authors – French Caldwell and Richard Stiennon

Key takeaways –

  1. Air transportation infrastructure is particularly vulnerable to non-lethal attacks by drones
  2. Regulatory controls alone will not stop drone attacks
  3. Attacks like the one at Gatwick this week are a serious reputational blow to the drone industry and rapidly growing drone control software and analytics vendor ecology
Continue reading

Smart mobs in Paris: let them be social

Key takeaways:

1 – With modern social technologies, political movements can coalesce in days, maybe hours

2 – The weak political center and struggling traditional political parties in France provide an opening for the emergence of more political movements enabled through social technologies\

3 – Government leaders should be prepared with strategies to predict, engage, monitor, and respond to rapidly emerging political movements

Over the last three weeks, protests in France that were triggered by a new fuel tax and rising fuel costs have grown through social media to become a national movement.  Watching the yellow vests protestors break out into a violent mob in Paris, and the police response with tear gas and water cannons, reminded me of other protests over the last two decades that have been organized through social technologies.  The very first was the Battle of Seattle where protest organizers used text messaging and online bulletin boards – but that required months and weeks of preliminary planning. As we observe in France, with modern social technologies, political movements can coalesce in a few days, maybe a few hours.

Text me — killing Doha

The anti-WTO protests in Seattle in 1999 are the earliest documented application of social technologies in street-level activism.  In Seattle, protesters networking through cell phones and updates to online websites were able to outmaneuver police and shutdown a round of trade talks.  The round of WTO talks that had led up to Seattle ended inconclusively with no agreement on the major issue of breaking down trade barriers between rich and poor nations.  The subsequent Doha round of talks, which began in 2001 and was scheduled to complete in 2005, picked up on the same theme of breaking down trade barriers between rich and poor countries.  However, ten years after the original deadline the Doha round was still not complete – the smart mob had killed it.

The Arab Spring — not quite social

With the advent of smartphones, social media combined with mobile technology, and Twitter was often identified as an enabling technology for street protestors in the 2011 Arab Spring protests.  Credible research has shown that during the Arab Spring protests, most street activism preceded social media activity, rather than followed it – indicating that most people were tweeting and posting about the events they were seeing on television, rather than using social technologies to organize the protests.

Social technologies help political movements, but leadership still matters

Seattle in 1999 remains the benchmark for organization and execution of street activism using social technologies.  The yellow jackets in France, have yet to demonstrate a similarly high degree of organization, and the protests could peter out.  However, there is a political vacuum in France, with both right and left mainstream political parties having been marginalized in the last elections, raising the specter of a weak center represented by President Macron and his “La République En Marche” party facing a population that has shown that it can self-organize through online and mobile technologies.

So far, Macron’s government has been ill-prepared to deal with a national political movement that appeared in a fortnight. In Macron’s favor is that the yellow vests have shown no cohesive national leadership; yet, that is also a problem for Macron since there is no legitimate movement leadership to engage.


Many government leaders treat social media as another public relations channel, like print and broadcast media.  Instead they should be looking at social and mobile data as a rich source of insights.  Government leaders can use social media analytics to predict, manage, engage and respond to rapidly emerging political movements, as follows:

1 — stress test proposed major initiatives and identify key indicators that can predict the range of societal reactions

2 – identify the people who are the primary influencers and engage appropriately and constructively with them as the indicators warrant

3 — monitor the indicators before and after the initiative is launched, and

4 — if people take to the streets, analyze the mobile and social data to guide the deployment of and response by law enforcement in ways that prevent or limit violence

5 – while mining and analyzing social and mobile data, ensure that policy and procedures to protect individual and group rights of assembly, petition, free speech, and privacy are followed


It’s not just about privacy — and Silicon Valley doesn’t get it

Key Takeaways:

1 – Silicon Valley and Washington, DC, are vying for which capitol – the tech capitol or the political capitol — sets the public policy agenda.

2 – Americans are not so much worried about privacy as they are about Silicon Valley’s threat to their free will.The SV-DC balance of power

I recently attended the Bloomberg Next Summit in Washington, DC, and during a panel discussion on the divide between Silicon Valley and Capitol Hill, Fred Humphries, Microsoft’s Corporate VP for US Government Affairs, made the statement that the technology industry has lost trust on Capitol Hill.  The panel, which also included Niki Christoff, Salesforce’s SVP for Strategy and Government Relations, and Michael Beckerman, President and CEO of the Internet Association, then went on to discuss the prospects of a U.S. privacy law.  Christoff boldly predicted that the next Congress will pass a national privacy law, and Beckerman agreed.  Beckerman added that it is not going to be another GCPR, but will be U.S.-specific.  Humphries offered a dissent, noting that there are many different business models in the technology industry, and these different sectors of the industry would each seek provisions that would impede other sectors, making it difficult to have a privacy regime that would apply across all of them.

Frankly, this panel’s immediate deflection to privacy as the issue that must be addressed to improve trust in the technology industry illustrates that Big Tech just doesn’t get it.  What’s dividing Big Tech and Capitol Hill is power – it’s a fight over who is going to set the direction of public policy for the country.  It’s not a fight that is peculiar to the U.S., but with the global capital of Big Tech being Silicon Valley, the balance of power between Big Tech and Big Gov in the U.S. has a huge impact on that balance in other countries, particularly in other democracies.

Free will, not just privacy is at stake

Certainly, Americans are concerned over their privacy.  According to Pew, 91% believe that people have lost control of personal information and how it is used, and 49% are not confident of the federal government’s ability to do anything about it.

But so what – despite data breaches, identify theft, and all kinds of scams that emerge from these, most Americans still freely share all kinds of personal information online and through their mobile devices.  Increased surveillance seems to be tolerated too – not just government surveillance, of which 82% of Americans are tolerant according to Pew – but almost everyone carries around a smartphone which collects massive amounts of personal data through the dozens of apps that are on each device.

Americans may be worried about the collection and misuse of personal information – but heck, they trust technology more than government.  According to the Edelman Trust Barometer, after a battering year of tech scandals, including sexual harassment at many firms, concerns over how social media may have been used to manipulate the 2016 presidential election, and the Equifax data breach, trust in the technology sector dropped just one point to 75% as opposed to government which dropped 14 points to 33%.

Judging by their continued heavy engagement with mobile devices and online, privacy concerns are not the driving factor dividing Silicon Valley and Washington – it’s really, who is going to be the biggest influence on setting the public policy agenda — how Americans think about the issues and how we organize to achieve societal objectives.

It’s the perception that we are losing our individual and collective free will that is troubling Americans. In 2010, Google CEO Eric Schmidt said: “We don’t need you to type at all. We know where you are. We know where you’ve been. We can more or less know what you’re thinking about.”  And knowing what we are thinking about allows Google and other search and social platforms to help their advertisers and partners to influence our actions — not just what to buy, but what issues matter most, and perhaps even how to vote.  Are the FAANGs just one step short of mind control?  That’s what Schmidt implied, and he’s made the same statement many times in many forums.

Capitol Hill’s issues with Big Tech aren’t the same as Americans’

Capitol Hill also has issues with Silicon Valley, particularly with social platforms like Facebook and Twitter.  These platforms are enabling citizens to self-organize around public policy issues – loosely aligned groups like Black Lives Matter and the Tea Party are challenging establishment political parties for primacy in shaping the public policy agenda.  Individual citizens are bypassing Congress, state legislatures, and regulators as they directly challenge businesses to change their behavior and policies.

There is also a concern on Capitol Hill and within traditional policy-making institutions over concentration of power within a small number of Big Tech firms – particularly the FAANGs – Facebook, Apple, Amazon, Netflix, and Google.  Their dominance over control of information flows and news distribution, and the centralization of economic power enabled by their platforms, plus the dominance of these corporations by strong public personalities is concerning.  Both the disintermediation of traditional political and governmental institutions and the concentration of power, enabled by social and e-commerce platforms, diminishes the role of politicians, regulators and other public policy-making institutions.

The possibility that the FAANGs could become more powerful than governments is not lost on politicians globally.  European Union regulators are already taking steps under competition law and privacy law to de-fang the FAANGs, and China has shown that it is possible to have a rapidly growing internet sector with heavy governmental oversight.

While the model of governmental control in China is not transferable to western democracies, there is certainly more regulation to come for Big Tech in the U.S.  A national privacy law will be a start, but that alone will not be enough to calm the unease of Americans and their politicians.


New cybersecurity laws are on the way

blogPost-cispaThis week, I joined the Silicon Valley Leadership Group for a visit to Capitol Hill. The group had asked me to share a few thoughts with congressional leaders on how cybersecurity policy affects cloud software companies like my own, MetricStream. We met with congressional leaders who are grappling with cybersecurity issues. House Majority Leader Kevin McCarthy, Homeland Security Committee Chairman Michael McCall, and Representative Patrick Meehan all demonstrated a depth of knowledge on cybersecurity, and how it is affecting businesses. They were focused mostly on cyber intelligence sharing between the federal government and industry, and between companies. To remove roadblocks to sharing, Congress is considering bills from the House and the Senate that will provide anti-trust liability protections to companies that voluntarily share cyber intelligence. Privacy advocates are justly concerned with sharing of information, and protections are being built into the proposed legislation. Whether those protections are adequate is a political issue that is not easily resolved, but regardless some form of a cyber intelligence sharing bill will likely pass this year.   There are several other cybersecurity policy issues remaining, and I expect this bill will break a logjam that has existed on critical infrastructure protection and data breach legislation. More legislation will follow in the current Congress, and that will be mirrored in the EU and other jurisdictions.

While new rules will confront GRC leaders with more requirements, frameworks engendered by those rules like the NIST Cybersecurity Framework are establishing the foundations on which digital business depends. The many opportunities from the digitalization of business can be realized when our GRC programs are robust enough to ensure our organizations’ resilience in the face of new cyber risks, and our ability to meet the new requirements of what is likely to be a rapidly evolving regime of cybersecurity regulations. CROs, CCOs, CIOs, and CISOs will need to work out their own policies for cybersecurity and privacy that account for the variations in laws between different jurisdictions around the world. Cyber risks do not respect geographic boundaries, and in fact bad actors take advantage of those boundaries to protect themselves from discovery and prosecution, seeking havens in locales where enforcement is weak. Companies also find themselves in the unenviable position of being in the midst of cyber wars, and these are wars that will not stop regardless of new rules. While industry, civil liberties, and government leaders work out national policies and new regulations on cybersecurity, it will take real leadership from GRC professionals to interpret these developments and keep their organizations ahead of the curve.



Obama Administration lays groundwork for cybersecurity information sharing



On 13 February 2015, President Obama issued “Executive Order — Promoting Private Sector Cybersecurity Information Sharing.” The primary objective of the order was to Information Sharing and Analysis Organizations and voluntary standards for information sharing by critical infrastructure companies. This is the third in a series of cybersecurity executive orders issued annually each February since 2013.

What you need to know

By establishing a regimen for the development of voluntary information sharing standards, this executive order is getting a head start on proposed cyber security legislation that the White House recently sent to Congress in January. The last attempt in 2012 to get a cybersecurity act through Congress failed, mostly due to intervention from privacy advocates and concerns about increasing regulatory burdens on critical infrastructure businesses.  However, following that failure, the President in 2013 issued “Executive Order — Improving Critical Infrastructure Cybersecurity.”   That order resulted in the Cybersecurity Framework, which has been accepted well by industry as a baseline standard for critical infrastructure protection. This new executive order is about as far as the executive branch can extend its authority without further legislation. With all the major cyber attacks since 2012, and with the Sony and Anthem hacks fresh in the minds of business executives, the public, and politicians, the resistance to new regulations should be less than it was in 2012.

Operators of critical infrastructure should:

1 – Participate in the development of the voluntary information sharing standards

2 – Identify information that can be shared without legal liability concerns

2 – Prepare for legislation that will provide legal protection for information sharing.


The Executive Order doesn’t change much for critical infrastructure companies – current cybersecurity policies should not be affected directly. It does not direct government agencies to review current regulations or make changes to them.  The executive order calls for consultation on voluntary standards. Depending on what comes out of voluntary standards and the Executive Order, companies could make voluntary changes to their policies based on them.

There are no requirements for companies to share information with the Information Sharing and Analysis Organizations that are established in this executive order. Sharing is voluntary and not mandatory. For companies that decide to share information, there are legal risks. Until there is legislation that provides more specific legal protections, this executive order is not likely to have much effect, other than laying the groundwork for an information sharing regime.

The window for legislative action is open. All the major hacks that have happened since 2012, especially Sony, received a lot of political attention, and also attention from boards of directors and CEOs. There are special interests who are concerned about privacy and civil liberties, and there are other special interests who are concerned about putting more regulatory mandates on companies.  As far as the latter, legislation on information sharing will be much less onerous than the cybersecurity audit rules proposed in the Cybersecurity Act of 2012. The time to bring all sides in Congress together is right now while what happened at Sony and Anthem are still fresh in the mind.


Disruptive technologies are those that overturn the existing social order

Cool Robot

What makes a disruptive technology disruptive?

This is a question that came up in a discussion with my cohort in the doctor in law and policy program at Northeastern, and I’ve been puzzling on it for a few months.  One characteristic is that technologies that emerge with new value propositions come from the convergence of two or more existing technologies.  For instance, cell phones existed for years before they became truly disruptive.  It was when the smartphone converged the cell phone converged with the internet we began to see real disruption from mobile technologies.

With the smartphone, information becomes accessible and sharable anytime and anywhere, and it enables alternatives to existing services.  Smartphones have taken market shares from cameras, music CDs, taxi companies, and even cellular service itself.  They accelerated the disintermediation of the recording industry that had already begun with Web-based music sharing.  Most recently, apps on smartphones have begun the disintermediation of the personal transportation and the hospitality industries.

Convergence and displacement still don’t quite get at the disruptive effect of a new technology-enabled business model.  One more thing is needed — a threat to social order.  Consider the case of farming drones such as those offered by HoneyComb and PrescisionHawk.  These drones and the associated analytic software can enable crop tracking, and better decisions by farmers on where and when to irrigate or apply pesticides and herbicides.  They can provide a level of detail above what a farmer can get by walking the fields, and do so quicker and less expensively than services from agricultural airplane operators.  Many drones are financially within the reach of family farmers, thus disintermediating the farming aircraft operators and services.

However, crop-dusters and aerial surveyors who provide agricultural services have investments in expensive general aviation aircraft and equipment, and drones will destroy business value of these assets.  Hence, most general aviation services incumbents are opponents of drones, and they have cited safety concerns as a reason to ban their use.  For now, FAA rules effectively ban most commercial use of drones.

This government ban is only a short term win for agriculture aircraft business.  Imagine trying to get investment in such a business now?  Investors could be reticent to fund the acquisition of assets that could shortly be obsolete.  On the other hand, with the FAA restrictions they may also feel inhibited from investing in drone-based business services.  This stalemate effectively freezes time for agricultural aviation technology; it’s like in Cuba where 1950s era automobiles are still plentiful.  Even if a crop-duster wishes to shift his business to drone technology, it just isn’t reasonable to do so right now.  But the demand from farmers is there.

Government regulations though are not always able to intercept and freeze the disruptive effects of technology.  New business models that can capture a market rapidly enable the creation of a counter lobby to threatened incumbents.

Uber is a case in point.  This simple app connects the owner of a smartphone to the owner of a sedan or automobile, thus disintermediating limousine services and taxi companies.  Personal transportation services, unlike agricultural aviation services, are used by large numbers of people who can become a social lobby to counter the incumbent lobby.  Usage of emerging consumer apps can spread virally through word-of-mouth and social media, rather than being dependent on trade press and industry conferences.  This wide and rapid adoption enables entrepreneurs to run faster than the regulators.

Furthermore, regulation of personal services typically operates at a state and local level rather than at the national level.  The chance of finding friendly or just plain slow jurisdictions is pretty high, and by the time the incumbent lobby organizes itself, the new technology’s entrepreneurs and investors have the support of a large and growing number of consumers who can mobilize through social media — i.e., a social lobby.  By the time the backlash mobilizes, the entrepreneurs have generated enough revenue, social capital, and momentum to compete effectively in the lobbying game.

To summarize, the most disruptive technologies will include the following characteristics:

1 — Convergence of two or more existing technologies that enables the emergence of a new business model

2 — Displacement of incumbents that have significant investments in legacy assets, and thus a political stake in maintaining the status quo

3 — Disintermediation of the regulators through a vector that enables rapid development of a social lobby in favor of the new business model

Bottomline – Disruptive technologies are those that overturn the existing social order.



Disintermediating the three lines of defense, and the regulators too

Source: University of North Carolina, Charlotte

Source: University of North Carolina, Charlotte

The three lines of defense paradigm for audit, risk management, and compliance is so commonly accepted, so ingrained in the way that we think of GRC functions, that no one questions it.  Until now.  Last week at MetricStream’s London GRC summit, Paul Moore, former chief compliance officer and famed whistleblower at HBOS, said the three lines model doesn’t work.  That conclusion raises the question of what can replace it.

The three lines model assumes that risks will follow the same hierarchical process oriented structure that the organizational model follows.  But we all know the hierarchical org chart is not the real model for how value is created.  Value chains don’t follow organizational hierarchies nor are they limited to a single business entity, and neither do the risks associated with the processes, regulatory requirements, and assets that are incorporated within those value chains.  The real work is done across teams, across divisions, departments, geographies, and even across companies.

The three lines of defense model assumes that business units are identifying and managing the risks, risk and compliance managers are ensuring that the business units have effective controls and risk management processes, and internal auditors are providing an independent opinion to management and the board on the effectiveness of risk management and compliance activities.  This model assumes specialization and segregation of each of the lines of defense, and increasing objectivity from the first to the third lines.

This model leaves out the people closest to the risks.  The person with the best knowledge of a risk should be the person closest to the processes or the assets that create value for the organization.  This might be a front line employee, a business partner, or even a customer.  It’s rarely an auditor, a risk officer, or a business unit leader.  Enabling those people at the front lines to recognize risks, and to manage and mitigate them is critical to sustainable performance.

The three lines model is no doubt going to persist for a while, but already it is  being disintermediated aggressively.  Regulators are demanding more and more corporate data that enables them to independently evaluate risks and controls.  SEC chairwoman Mary Jo White attributes the record number of enforcement actions in 2014 to the innovative use of advanced data analytics technology.

Social media has also served as a check on companies.  As more corporate data is available to crowds of networked individuals, key influencers can mobilize a “social lobby” to respond to what they perceive as poor industry or corporate practices.  Armed with social technologies, the people formerly known as the customers (or the voters, citizens or constituents) become the new regulators.

Companies can learn from these big data and social lobby developments.  Crowd sourcing risk management can be used to tap into the collective intelligence of customers, partners, employees, or experts.  Data based risks and controls monitoring with advanced analytics can enable quicker identification of potential risk events or control failures, and discover risks that might fall between organizational and risk management silos.

Disintermediation is usually not complete.  iTunes has not replaced recording companies for instance, but it and other music industry cybermediaries have forced a huge shift in the recording industry’s business models.  We should expect cybermediaries to arise that offer GRC services that force a shift in the three lines of defense model;  even more revolutionary, imagine GRC cybermediaries that compete with regulators and statutory auditors.



Reinventing Me

I’ve reinvented myself before – from a nuclear engineer to a strategist, from a submariner to an industry analyst; I’m right now in the midst of another personal reinvention.  My departure from Gartner is the most visible sign of my reinvention effort, and that was really hard to do.

As another part of my personal reinvention, this weekend I was in Boston for my monthly “intensive” at Northeastern.  I’m working on a doctorate in law and policy which I’ll finish next June.

A year ago, I decided it was past time to reinvent myself, and pursuing a doctorate would help me to shift gears.  My masters degree in international studies had certainly helped me move from engineer to strategist.  My doctorate is helping me to focus on new research into intractable policy issues raised by disruptive technology.  Not wanting to spend six years on a PhD,  I found the two year program in law and policy at Northeastern fit both my interest and my goals.  My research is specifically focused on the impact of disruptive technology on the process of making public policy.

My interest in the intersection of technology and public policy dates back to my early years at Gartner.  In 2000, with the encouragement of Bill Malik and Richard Hunter, I founded the Technology and Public Policy research community.  About 20 analysts participated and we produced a large number of special reports.  However, in 2002 with Enron and other technology-enabled business models falling to scandal, our attention turned heavily to risk management and compliance.  With regulatory proliferation and risk management demanding so much analyst attention, the strategic intersection of technology and public policy received less research attention at Gartner.

However, in the last two years that began to change.  Gartner identified the “nexus of forces,” the convergence of social, mobile, analytics and cloud (SMAC) technology drivers was rapidly introducing new business models, and a new war has emerged over the control of information between individuals armed with social and mobile technologies, governments and companies armed with big data analytics, and criminals taking advantage of vulnerabilities.  Gartner analyst Frank Buytendijk, along with his colleague Jorge Lopez, have addressed this struggle in the Digitopia scenario.

reinvent yourselfReinventing me, I am building on my strategy, governance, risk management and compliance expertise with research into the impact of disruptive technologies on the core issue of how we actually govern ourselves as societies.  We’ve seen over the last few years how new technologies have radically transformed whole industries — the recording industry and journalism have been radically transformed.  Traditional B2C and B2B commerce models are under tremendous pressure from digital business models of Amazon and Alibaba.   With new digital businesses ike Uber and AirBnB, transportation and hospitality industries are transforming rapidly.

With such radical transformation of so many industries, there is every reason to suspect that government and other key players in the public policy process will themselves be disintermediated as digital transformation overtakes the policy industry.  Failure to manage the risks of this transformation is a risk too great to ignore.