[Posted by LNW Executive Director Zach Tumin]

There continues to be concern that we are not doing enough to address the problem of cyber security - even that we lack, still, a clear view of the problem, a vision or strategy to deal with it, or an investment plan that will succeed.

It is not for want of trying. Our nation's cybersecurity issues are well-documented. Yet current efforts such as the National Cyber Security initiative, cloaked in secrecy, and limited to governments, have been critiqued as too little, too limited, and too mysterious. Others have offered sharp critiques of the critiques.

How should the United States or any reasonable nation respond? The complexity of events and response, and their dynamism, argue for vision, strategy, and investment. For the United States, the advent of a national cybersecurity czar; of a chief technology officer with "domain" over the federal IT enterprise; and of a chief privacy officer with similar purview, all point to a new level of seriousness and commitment to cybersecurity in the new Administration.

How shall we move next? As a new cyber czar takes this on, many approaches will compete for time, attention and investment.

Should we attack the problem of cybersecurity at the level of hardware or software solutions, moving first to secure servers and computers, or applications and services?

Should we perhaps approach the problem from the level of integrated management, taking up the major vulnerabilities which corporations and governments all face, such as identity management and authentication?

We could focus instead on securing critical business operations - whether power plants, financial payments systems, or next generation civil aviation. At least we'd be assured of lights on, cash available, and planes staying in the sky.

Perhaps we should focus on securing the social web. Millions of citizens use Twitter and Facebook, for example, and we'll need those during disaster or crisis --- or even for everyday "citizen engagement/web 2.0" activities. That digital device in my pocket is my friend and yours. Or, is it an enemy's on-ramp? At the moment, there's no saying it's not both, and that makes the social web risky.

Should we, rather, deal with the "upstream" problem of nation states and criminal organizations who sponsor this stuff, and attack, dismember, and destroy them? Could we do that even if we wanted? Maybe we need them, too - for our own purposes.

Perhaps we should articulate a meaningful doctrine of cyber deterrence which freezes actors, not simply from fear of capture but from the threat of dire consequences to themselves, their families, and their allies. No one has, yet.

Framing the Options: The 10 Challenges We Face

A new cyber security czar will quickly face such choices. Ultimately, the czar will have to translate all into tactical, practical, and actionable options and results. Any strategy for cybersecurity would have to address - have an answer to -- these ten great challenges:

1.    The boundary between nation states, rogue states, and criminal organizations is now blurred. As recent Russian-involved cyber attacks on Estonia, Georgia, and now Kyrgyzstan make clear, many groups may concentrate or coordinate attacks for strategic purpose and tactical gain. Any cyber strategy must enable us to deter, detect and thwart such complex, multipronged attacks.

2.    Key global and domestic infrastructures remain vulnerable, even unattended. Do our electronic payment systems, for example, remain exposed? Who has -- owns -- a clear strategy to define, let alone assure, minimum essential functioning at the retail or wholesale level in the event of attack? We need a cyber strategy that defines the minimum essential level of functioning required for key infrastructures, specifies its requirements, and assures it.

3.    The uptake and adoption of innovation is uneven, and creates risk in pockets. Yet network defense of every node is inherently more difficult than network attack on a single node- especially networks that criss-cross organizations, sectors and nations. We need a strategy that assures adoption of innovation throughout networks and which is consistent with requirements for resilience in our key sectors.

4.    The nation's welfare is no longer a mere function of government: corporate vulnerabilities create risk for the nation and obligation for private sector initiative and investment. We need a cyber strategy that articulates an effective approach, whether by market or regulation, to secure corporate assets as vital to national security.

5.    With military R&D limited now, commercial R&D proliferates and is widely available as technology both to attackers and defenders; the race to "asymmetric" advantage is based therefore not on technical superiority but on adaptation and response. We need a cyber strategy with a strong translational "bench-to-community" research capability, to move innovation quickly from field, to lab, to field again.

6.    Federal, state and local budgets are severely constrained; the opportunities for massive new infrastructure investments are limited; the capital plant as it exists today will likely be the legacy for the next decade; adapting legacy infrastructure to current and future challenges is therefore critical. We need a cyber strategy that requires few new resources and focuses on retrofitting the existing capital plant to new capabilities

7.    Governance of the national cybersecurity enterprise can neither be czar-like and  autocratic, nor anarchic or idiosyncratic. It must balance wisdom of crowds with communities of expertise. In no sense is governance now specified. Moving to standards, proving capabilities, assuring dynamic resilience are attributes any well-governed enterprise must provide for. We need a cyber strategy whose own process balances well the need for secrecy with public engagement.

8.    Our procedures for acquiring new products and services continue to slow our responses. Our adversaries - smaller, faster, more agile, less constrained - may adapt far more quickly to opportunity, and to our innovations, that we can. We need a cyber strategy which reforms our acquisition and procurement to support requirements for asymmetric advantage in cyberspace.

9.    The move to incorporate informal citizen and user networks under the "web 2.0" banner is unstoppable. It is also highly useful - especially in managing contested or confused domains of disaster, battle, or crisis. Such moves also put information reliability and security at risk. We need a cyber strategy that permits government and industry to take advantage of citizen networks while addressing critical issues in authentication and security.

10.    We have good "point" measures of readiness and capability, but no consistent way to apply them across our extended enterprise. That enterprise is of its nature a Wild-West show; who just came on and came off the enterprise platforms and how did that change risk for all? We need a capability to test ever-changing risk, readiness, and capabilities to deal with cyber attacks across the extended enterprise.

The Leadership Play: Fixing What's Wrong

A cybersecurity czar faces critical questions not only of strategy, but of managing a sprawling enterprise over which the czar will have little direct authority or control. What effects will she want to achieve? What's the right mix of government and industry action to achieve them? Will it be by regulation and enforcement, or laissez-fair market forces? None are perfect. How best to work the levers of change? As a nation, we will explore that next.

[Cross-posted to A Fire Under Embers]

"These are smart quotes”

"Are they really smart?”

"They're too smart”

Among my first "real world" assignments after graduate school was trying to improve productivity in the Sanitation Department of Mayor John V. Lindsay of New York City.

At that time, the typical garbage collection crew loaded 6 tons into their collection truck, then did something else as the truck traveled to the dump and back. They then continued loading for an average of one additional ton per crew.

But wait. Trucks were available that held 8 tons. We tested them to see if they were too big to maneuver in city traffic… and in almost all cases they worked.

So, how would you estimate the expected productivity improvement? And how would you get it?

We thought we could turn most of the extra truck availability into collection work. The Budget Bureau announced an expected productivity improvement of roughly 15% (from 7 tons to 8 tons per crew per day).

But the next year, as we prepared the budget, we had actually gotten no productivity growth.

Zero. Nothing.

Over the next several years, however, we boosted productivity measured by tons per truck shift by more than 20%.

How? Many things were brought to bear: legalizing garbage bags rather than cans (they weighed less); bringing in special trucks with automated container loading for large locations; improving truck maintenance; etc.

But the biggest factor by far was Walter Scharaga, the Cleaning and Collection Bureau Superintendant from the Bronx. Walter was tough. More than that, he was respected as fair by the Sanitation Union, whose prime complaint was inconsistency and unfairness that could creep in as the routes were extended.

We put together a Task Force with Walter in charge, moving it from district to district, laying out explicit new collection routes throughout the city. This changed the assignments and accountabilities for over 1400 peak-day (Monday) collection crews. District by district we laid out new routes, measured the results, reported publicly what we found, and moved on.

It wasn't rocket science, by any means. But it was very effective.

Our lesson was that technology typically enables productivity improvements, but harvesting requires the workflow to change, and this requires leadership to move the group from one pattern of assignments and behavior to another.

As a simple formula, this can be expressed as:

ΔT + ΔW + ΔL = ΔV (where T is technology, W is work, L is leadership, and V is value as productivity)

Years later, the key technology is digital data, computing, and networks, not bigger garbage trucks. But it's still true that we can't harvest results without changing the workflow. And we can't change the workflow without effective leadership.

This may seem obvious, and is. But it's all too often ignored.

If we need all three factors working together -- ΔT + ΔW + ΔL -- then what do we really need CIOs to be good at today? And how can we help them become more effective?

A short version answer to this question appears in today's Governing Magazine HERE.

We'll explore these issues in more depth in a June workshop at Harvard described HERE.

Let me know your answers to the "How do we harvest productivity?" question. I need new answers (and not all based on garbage).

We hope to see you in Cambridge in June.

Best regards,

Jerry