By Paul Bracken
One of the most harmful effects of China’s cyber espionage and from whistleblowers who publish classified information is the bureaucratic response that it triggers. Most agencies double down on secrecy. They install software to track access, monitor online behavior, and frequently attempt to entrap staff with “honeypots” and fake spearfishing bait to see who violates the rules. Those caught up in this morass of hi-tech security are usually singled out, with career reckoning implications. The purpose of these actions is to reinforce a culture of secrecy inside the organization.
Such bureaucratic behavior is predictable and understandable, at least to a degree. But it comes with a price. It sends a message that idea sharing and brainstorming with outsiders isn’t consistent with the values of the organization.
Contact with people in other departments and outside organizations is necessary for innovation. There’s a tension then, between secrecy and innovation. And we need to acknowledge this tension because we’re in a long-term competition, where innovation is such a critical part of American strategy.
For real innovation, people in different technology fields need to exchange ideas with one another, and with those in operational commands. Secrecy gets in the way of this conversation. Without an exchange of viewpoints with those outside of departmental lines, the tendency will be to think inside the box defined by the “official” security procedures and systems. The result is like Walter Lippmann once said, “When everyone is thinking alike, then no one is thinking.”
The Uses of Secrecy
Security procedures, monitoring software, clearances, etc. have two roles. One is to protect critical information from falling into the hands of foreign enemies and preventing untrustworthy or criminal individuals from getting inside the security apparatus.
In recent years, high-profile cases have highlighted this danger. Chinese hackers have stolen vast amounts of U.S. intellectual property and weapons secrets. On a different front, Edward Snowden, Chelsea Manning, and Nidal Hasan (the Fort Hood shooter) clearly showed what can happen if untrustworthy individuals get inside the system. Solutions to these problems have been the main focus of most agencies in recent years. A huge effort is now devoted to online security by the U.S. government. Moreover, as a recent RAND study describes, advanced tracking methods based on artificial intelligence checking of individual behavior is used to cope with the threat. There can be little doubt that monitoring of employees is increasing. It is becoming continuous, so that nearly all online and much offline behavior is monitored. The sophistication of this individual monitoring is increasing, as the RAND study indicates.
But the security system has a second, different role as well. Companies, and government agencies, use it as a competitive tool to protect a monopoly on key technologies, to hide embarrassing failures, and to increase the profitability of a program by keeping out competitors. Security clearances often are used as a deterrent to entry, to limit competition, and to block substitute, better products from consideration.
The Impact of Secrecy on Innovation
To understand how the security system of clearances and tightly controlled access impacts innovation, I will use a simple theory taught in every business school in the United States: the Five Forces Model. This model was originally developed by Professor Michael Porter at Harvard Business School. Variations of it are the basis of most management consultancies like McKinsey, BCG, and others.
The model uses five factors to characterize an industry. It breaks competition down into logical parts. The five factors are: the degree of competition, supplier power, threat of entry, buyer power, and the threat of substitute products.
Let’s examine how each of these factors works in defense and intelligence.
The degree of competition in an industry like intelligence collection, cybersecurity, electronic warfare, cloud computing, or helicopters can be described qualitatively. For example, it could range from low to medium to high. Competition could also be described quantitatively. Standard measures here are profit, EBITDA (earnings before interest, taxes, depreciation, and amortization), or ROI (return on investment). The dynamics in any industry are a jockeying for a position where, ideally speaking, competition is low, and therefore where profits are high. This maneuvering for position is described in terms of the other four factors.
Supplier power is the ability of companies to restrict supply to drive up prices, or to preserve some other advantage, like protecting a long-term contract. Strong supplier power quashes innovation because a dominant supplier has little reason to innovate beyond doing barely enough to protect their position.
Small, incremental innovations characterize competitive situations with strong supplier power. There are many areas of defense, and especially intelligence, where a long-term contract is held. Examples include the operation of a satellite collection system, or AI support services to a command. Government generally is afraid of entertaining new ways of doing things by talking with innovators outside of existing suppliers who might do it better because lack of security clearances block this conversation from ever happening. Government buyers can’t discuss matters with firms that don’t possess these clearances. Individuals in government are even fearful that talking informally with outsiders with new ideas could get them in trouble. Security monitoring systems might pick up such contacts. Workers understand only too well the values and attitudes of their employer. Going against the grain, even to try to find a better product, may not be appreciated, or worse—it may be flagged as a security violation, with career implications.
This all works to keep suppliers in their dominant position. It also discourages them from innovating. They will ask: “Why bother to do expensive research and development (R&D) if we’re assured of keeping the contract anyway?”
Threat of entry describes the likelihood that a new player will enter a market. A new entrant obviously increases competition, and thereby lowers profits for those already in that market. High barriers to entry keep potential rivals from bidding because they can’t easily assemble the necessary skills and information for writing a competitive proposal.
A good example is Amazon Web Services (AWS) entering the Central Intelligence Agency’s cloud computing competition in 2013 and beating IBM. The largest barrier to entry that AWS faced was getting qualified experts with the necessary clearances to know enough to write the proposal. For the intelligence market, finding such individuals is especially critical. The added difficulty in intelligence is getting the special access clearances, which creates very high barriers to entry and keeps potential rivals (like AWS) away from a market (like the CIA cloud). The security system constrains a government agency’s ability to freely speak with innovators who do not have the appropriate clearances. This, obviously, reduces innovation since potentially knowledgeable companies are kept out of the picture.
The AWS win over IBM in 2013 is an especially interesting case. It required the significant financial backing of a giant company, Amazon, to win the contract. It is doubtful that a small- or medium-sized company could have ousted IBM since it had been a dominant supplier for a long time. Even with superior cloud technology, a medium- or small-sized firm would have found it difficult to pay the steep price needed to enter this market. Amazon had deep pockets and could do this.
Buyer power deals with the ability to dictate terms to suppliers. The ultimate buyer in defense and intelligence markets is a single entity, the Pentagon, or a three-letter intelligence agency. In theory, buyer power is high because the government is a monopsony, that is, there’s a single buyer.
However, in practice, buyer power is limited because government is not a “smart buyer.” Government is hemmed in by complex federal regulations. Those inside the government find it difficult to even speak with outside companies if they aren’t adequately cleared. This dynamic shields existing firms from new competition, but the situation is actually worse: It directs the innovation strategies of established companies not to new technology, but to legal, procedural, and political actions to protect their market position. Most of them have huge staffs that are experts in protesting contract awards and keeping up with government regulatory changes. It is doubtful that such administrative schemes really add much to national defense.
Substitute products are alternative ways to meet a need or requirement. Uber, to use an example, is an alternative product to automobile ownership. Likewise, streaming video substitutes for a cable TV subscription. Defense examples include drones as a substitute for manned aircraft. Cyber attacks can neutralize a target instead of a missile strike, and so forth.
Today, substitution is especially important for innovation because there are many possibilities arising from new technologies. To analyze substitution potential, one has to know enough about these different technologies. The widespread use of “black programs” built on special-access, code-word clearances makes such an analysis almost impossible. In some instances, a manager would literally be breaking the law if she tried to compare different products for a mission need. Indeed, there are wasteful duplicate programs in some highly classified programs like space and cyber because of the impenetrable security walls separating the different black programs.
The current security system is built on a need-to-know basis, for an era when technologies operated in distinct vertical silos. Today, the world—and government’s needs—have changed with networked technologies. There are many different (substitute) ways to meet a mission requirement.
Conclusions and Recommendations
Two major conclusions come from this analysis. First, the security system of clearances and access control has two roles. This must be understood from the outset. It is used to protect national security—and to advance narrow business advantage. These two roles can have a deadly effect on innovation because clearances block the horizontal discussions necessary to develop new technologies and approaches. At the same time, the security system is strongly biased to protect existing dominant players. It discourages new players from entering the defense market.
Second, barriers to innovation from the security system will become a much bigger problem in the future for two reasons. First, the defense and intelligence system of the United States is becoming more interconnected. Networks are the name of the game now. To plug into these networks, one needs to know about the interfaces that link the different subsystems. These are highly classified. Cyber is the most highly classified area in defense today, like nuclear weapons design was in the 1950s. This situation gives a strong bias to supplier power advantage, and it makes deterrence to entry much greater. Quite simply, the dominant players have little reason to innovate, or to pay a fair price for the acquisition of small companies.
The second reason that clearances will dampen innovation in the future is that the locus of defense innovation has shifted to a great degree to small- and medium-size enterprises. These are the small firms in Silicon Valley, northern Virginia, Austin, and around Boston’s Route 128.
These firms are technology focused, and they have a limited ability to discover new defense applications for their work because they don’t have a breadth of knowledge or the clearances to work outside of their narrow domain. Larger defense companies will leverage their informational advantage against them and use clearances to squeeze them. The big firm says to the small one, “Look, we don’t care how great your technology is. We’ve cornered the clearances and access to the National Security Agency—and you haven’t. Drop your price—or you’re out of this contract.” Especially in a networked world, the small firm needs the larger one as it’s the only gateway they have to participate in large projects.
For a long time, I’ve urged the Department of Defense to do a study that asks a simple question: Do large defense companies—the lead systems integrators—take too much? Are they crushing innovation in the lower-tier suppliers? I’ve never found any interest by DoD in this, the most fundamental question of innovation: Who gets what?
As to designing a new security system for the 21st century, there are several possibilities. The first is simply to appreciate just how damaging the current security system is for defense innovation. Congressional hearings on over-classification, abusive use of clearances to protect markets, and wasteful duplication arising from an inability to compare substitute products would garner a lot of attention.
Second, the current security system’s performance in actually protecting secrets isn’t effective. The recent SolarWinds and Microsoft hacks, and Chinese and Russian penetration into major weapons systems, make it clear that the enemy has deep inroads into American government organizations and systems. The current clearance system is not really stopping them. If it were, then we might be understandably reluctant to tamper with it. But this is far from the case. In truth, the current security system has few supporters other than those who are in charge of checking clearances, monitoring employee behavior, and auditing visits with outside groups.
A third action would be to establish a national commission on secrecy and innovation. In recent years, commissions have analyzed AI, hypersonic missiles, space, and cyber. They have all come up with useful recommendations. Most often these include calls to increase government R&D, expand education, and create a White House czar to drive change.
But these recommendations are offset by a security system designed in the 1950s when the danger was one of spilling secrets from silos built around nuclear weapons, missiles, and aircraft. Now, this old security system is applied to new technologies like space, cyber, hypersonic missiles, and AI. This is very different from the closed innovation silos of the Cold War. Innovation requires going outside of the silos to bring in fresh ideas from different technical fields.
There’s a tension between secrecy and innovation. I don’t think this tension line is even recognized in today’s debates about whistleblowers and cyber espionage. To juice up defense innovation, we need to recognize the dual role of the system: security and innovation. We need to move the needle toward the innovation side of the ledger. Otherwise, a “secrecy first” culture will strangle innovation. This system has to change if the United States is to leverage its immense technological potential into real military advantage.
No comments:
Post a Comment