I was reading through some news items today, and ran across several stories asking why Freddie Mac chose to ignore advice from their risk management officers who were telling Freddie Mac CEO, Richard F. Syron, that the risky subprime loans they were backing were exposing them to huge risks (
read the article here).
This reminded me of an article I recently penned. I am not sure it answers the question, but I think it makes a valid point:
Humans are generally well intentioned beings. We do not, however, begin life that way. Any of you who have children can certainly relate to this. A child is perhaps the most self centered being in the world. Children will fly into tantrums, hit, kick, bite, steal, and do whatever it takes to get what they both need and want. This is not because children are inherently evil. They simply do not know any other way to survive. When we attempt to teach our children how to do better it is no surprise that they do not welcome this gift of wisdom. After all, their method works to achieve the results they want, and changing gears is just too much work.
Some parents persevere in the endeavor to make their children understand the importance of being well mannered, sharing with others, and honesty. These parents are generally rewarded for their efforts in the long term, yet are often left biting their nails in frustration in the short term. It is, by any stretch of the imagination, no easy task, and many parents seek the assistance of others as they endeavor to stay the course in raising their children while attempting to avoid the pitfalls of frustration which so often force even the most determined to give in. We ask those we trust and love for assistance. We hire professionals into our homes to help us build better offspring. We send them off to schools to learn what they need to know to be all they can be. We buy books and study them, hoping to glean some insight on how to do better.
At times, however, we end up with children who don’t seem to reach maximum potential, and they grow into adults who struggle to make it in an often difficult world, and who frequently wreak havoc on a seemingly well designed sociological master plan. There is no need to expound on this; we all know what I am talking about. As Ayn Rand so eloquently illustrated in “Atlas Shrugged”, there are those that exploit and there are those that are exploited. Remarkably, the “exploiter” often begins life as the “exploited”. This is not always true, but it is true often enough to be noteworthy.
Why is it that we sometimes fail at this project? Volumes have been written with so many reasons and theories that it has created a multi-billion dollar industry for writers, doctors, psychologists, and the list goes on. Some suggest it may be diet. Others suggest it is the way we teach our children. Some feel it the music they listen to, the TV they watch, or the games they play. The way we raise our children changes with each generation, based on who is considered the expert of the day. One common thread which seems to remain intact, however, is perhaps the most valuable information of all. Parents who truly CARE about how they are raising their children seem to achieve success.
I need to stop for a moment and define what I mean by CARE. Truly caring about someone or something is, at its core, an unselfish act. It is about recognizing and setting aside personal gains, ego, fears, and barriers in order to focus on the achievement of an initiative which can stand as a testament to excellence. It is not about forcing your child to go to medical school so you can proudly boast to your friends associates that your child is a doctor. It is about doing what it takes to raise a child that can stand on his (her) own and proudly proclaim that all that he has become, whatever that may be, is in large part because you cared enough to guide him to find his passion and reach his maximum potential. To succeed at this, however, requires commitment and good judgment. The kind of commitment and judgment I am referring to is of the type that comes from careful introspective analysis in a non-egotistical manner. This is the type of commitment that considers the wisdom of others who have faced such challenges and have risen above them despite the obstacles they faced. This is the type of commitment which does not hand the task at hand over to someone else to do, while stepping back, only to lay blame on someone else when the outcome is not what was expected. This is the type of commitment and good judgment which is not afraid to question the judgment of others and raise the difficult questions, despite the fear associated with “rocking the boat” or questioning “common wisdom”. This is also the type of commitment and good judgment that leads to perhaps the most difficult task of all: The ability to admit when you have made a mistake and to change direction to fix the mistake and get back on track.
So what does this have to do with voting machines, our national mortgage crisis, and the current ePedigree solutions being proposed for ensuring authenticity of drugs from the global supply chain in the Pharmaceutical industry?
As we made the move into the modern age we live in, replete with technological marvels only a true Luddite would not embrace, we found ourselves with an ever-growing need to shed ourselves of many old ways. Voting on paper seemed to make no more sense than filling out withdrawal slips at a bank or writing checks at the grocery store. Sure, there are still those among us that embrace the old-fashioned way of performing these tasks. By and large, however, they are a dying breed. Paper-based voting systems required too much space, time, and money to tally the votes. It was clearly time to digitize the system. Voting machine companies and election committees from various states got together and began hammering out the details of the project, and the voting machines hit the ground running. Then disaster struck. Academics, reporters, and whitehat hackers discovered that the security of these systems was entirely inadequate for the purpose they were designed for. State election officials began decertifying these machines, and the court of public opinion pointed at the voting machine manufacturers and accused them of everything short of treason for their lack of attention to security. Being a security company, we decided it would be a good idea to study this situation and perhaps offer some assistance. As we discovered, the level of security of the voting machines was not a major concern for nearly all state certifying bodies at the time that these machines were first certified by the State. Some voting machine companies clearly understood what it would take to build a secure system, yet the requirements did not dictate a need for a secure system, and the voting machine companies couldn’t justify spending the money for security as it would make them uncompetitive.
Who is at fault here? Is it the election committee’s fault for not validating the security of the system? Is it the voting machine company’s fault for not insisting that the system had to be more secure and spending a little more money to make the security at least reasonable? Is it the fault of the American public for not seeing this coming? These are tough questions, but one question is easily answered: Who ended up paying for the failure? Yes, dear reader, we did.
Then there is the mortgage crisis we are all now quite familiar with. Almost everyone in the financial world knew of the enormous risks associated with sub-prime mortgages. Economists, academics, realtors, and simply sensible people tried to warn us of the dangers of what was happening in the market. Still, countless people continued to play this dangerous game, hoping to avoid being burned. Many people deluded themselves into believing those who characterized the experts that were warning us as “fear mongers” and “out of touch financially”. Hindsight is 20/20. We are paying the cost for this failure.
Now we come to the enormous ePedigree initiative. Counterfeit drugs are an enormous problem. Some estimates claim as much as 30% of drugs coming from some nations are counterfeit. Counterfeiting drugs has become a multi-billion dollar industry worldwide. Many operations which once dealt in illegal narcotics and other illegal drugs have turned to counterfeiting due to the enormity of the market and the relative ease with which those who deal in counterfeit drugs can operate (compared to those who produce illegal drugs). Clearly, something had to be done to combat this growing menace. The United States government, in cooperation with governments all over the world, decided to take action by requiring a pedigree for each and every drug produced and/or sold in the United States. By requiring a traceable pedigree for these drugs from producer to consumer, and every step along the way, in the event of a problem the point of breakdown could be detected, isolated and addressed. Initially, the rollout for this system was slated for 2010 (2009 for California), and has been pushed back to 2011. This is, without a doubt, a huge project with an enormous number of complexities involved in implementation. One of the first steps in this process that stakeholder have focused on is determining what technologies and methods would be employed to track these drugs. Will it be 2D barcodes, RFID, security chips, databases, auditing & legal resource? The list goes on. How will the information be shared? The complexity is staggering.
As a security expert, I thought it would be prudent to get involved in this process. Surely, I speculated, the organizations tasked with implementing such systems would be extremely interested in making sure that the security of the system was validated. I was perhaps a bit naïve in my zeal. Organizations involved in the Pharmaceutical manufacture and supply chain are clearly focused on compliance with a law which failure to comply with will lead to a complete inability to do business. I have witnessed a great deal of activity at the tactical level – putting together the components to comply with the law, but have yet to see any activity at the solution security level. The law simply does not call for validation of system security at any level that a counterfeiter could sidestep – these organizations are not allocating resources and mindshare to anything other than compliance. Hackers and perpetrators are much more determined, sophisticated, and resilient than government regulations around compliance. We all intuitively know this, yet where is the duty of Care to do something about it. Will this “Care” only emerge after enough people have died, or enough money has been wasted on a broken system, where people will be then be galvanized to be the hero and fix the problem, once the appropriate resources and attention has been allocated. What kind of “Caring” is this? Can a company afford to care if nobody else does?
So then I need to ask the same questions I asked earlier. Whose responsibility is it to validate the security of the system? Who is expected to CARE enough and demonstrate commitment and good judgment? Whose fault is it when the Pharmaceutical industry spends billions of dollars implementing a system that, if implemented without careful consideration of the security issues surrounding the deployment, is doomed to fail as did electronic voting systems and the mortgage markets? Only this time, people’s lives are directly at stake. Who is going to pay to implement the system, then pay to fix it when it fails, not to mention pay for the recourse to remedy wrongful deaths?
You and I will, of course.
So whose responsibility is it? Who will step up to the plate? Who can step up to the plate?
