Rossander’s Security Reader

Until recently, the mil-spec for fruitcake (MIL-F-1499F) filled 18 pages with dense text describing every aspect of the allowable composition and baking process. Most of us would use a half-page recipe to get something just as inedible. Why the difference?

The mil-spec was written as a result of abuses during the Civil War when unscrupulous bakers would throw a few raisins into a barely cooked lump of flour and call it fruitcake. Given the legislated procurement process which required the service to accept the lowest bid, soldiers got stuck with discouraging regularity. The mil-spec tried to ensure that at least some minimum standards were met. Sure, you have to assume that people are basically evil but you might get something edible.

The problem comes in implementation over time. One specification document might be readable, especially that first clean draft. But a hundred of them? After they’ve been through a dozen inconsistent rewrites? And how do you interpret that incredibly specific policy when the circumstances have changed? People either comply with the specification by rote (not good) or ignore the policy altogether (worse).

I’ve been thinking a lot about governance lately and I think there’s a lesson here for corporate policies. You have a choice about how you try to get people to do the right thing.

Many companies follow the mil-spec model. They write detailed policies itemizing all the allowed and disallowed behaviors. They attempt to predict every scenario and end up adding to their policies for every new situation. Not only do you have an acceptable use policy for email but a separate one for Facebook and Twitter and instant messaging, all on top of the old guide for telephone ettiquette, etc, etc, etc. Regulators and auditors love this highly detailed approach. It shows that the policy writer has thought hard about the topic and, more importantly, it gives the regulator lots of concrete things to measure.

Of course, compliance under this model is suspect at best. Who has time to read a 200 page ethics guide? How do you enforce your policy when someone does something bad that’s not explicitly covered? Detail prevents gamesmanship but often at the cost of inhibiting critical thinking. Eventually, you’ll raise the costs of compliance past the costs of the problem you were originally trying to solve.

The alternative is to write policies more generally. Start with the assumption that most people basically want to do the right thing and set broad expectations on outcomes and approaches. Give them a short, understandable set of principles that can be applied across lots of scenarios and set specific standards only where absolutely necessary. Then give your staff the authority to use their discretion. Of course, you also have to hold them strictly accountable to living up to those broad expectations. You are delegating authority, not abrogating it.

The broader alternative carries its own risk, however. Regulators are much less comfortable with the lack of detail. So are your lawyers when it comes time to terminate someone for violating the policy. You may have to deal with someone deliberately gaming the rules. This approach takes real leadership. It may take your staff less time (which means they’re more likely to read the policy in the first place) but it will take more of your time. Is that a price you’re willing to pay?

So what’s your approach to governance like? Does your security policy read like a mil-spec, attempting to spell out every possible scenario and itemize every misdeed? Or do you take a broader approach? What’s worked for you?

This post is not directly related to security though it does have some connections through the broader concept of governance and leadership. It is something I’ve been think about a lot lately and I feel an obligation to write. For those of you reading just for the tactical security tips, please skip this post.

Recently, there has been a great deal of chatter about eliminating the filibuster – the rule within the Senate that effectively allows a single senator to hold up a bill by continuing to talk about it for hours, days or even weeks on end. The filibuster has been rather famously used to disrupt the passage of key bills and nominations proposed by the majority power. Filibusters are being described as a prime example of partisan bickering and legislative gridlock.

I disagree. Yes, the filibuster can be abused for purely partisan purposes but at its core the filibuster is a way for the minority party (whether currently Democrat, Republican, Whig or Federalist) to keep a stake in the operations of government and to continue to influence debate. Despite the threats about the “nuclear option”, neither party would be served by the elimination of the filibuster.

Much more importantly, the filibuster is a check against the tyranny of the majority. By allowing a mechanism to raise the threshold for a vote from simple majority (50% plus 1) to a super-majority, it acts as a check against the ability of the majority to vote themselves unlimited privileges. 51% of the population could, for example, decide to fund the government by taxing just the other 49% – or less obviously, to skew the burden of taxation onto the minority. Or the 51% could vote in a particular moral code which may not be held by – may even be anathema to – the 49%.

The majority could do so even in a situation where the the 51% felt only weak agreement but the 49% disagreed vehemently. Our simple majority voting system is prone to bias and sub-optimal decisions when the voting groups have different degrees of preference for a result or where multiple options could/should be considered. (Wikipedia has an excellent discussion of alternative voting structures, some of which are less susceptible to this bias though they each have their own limitations in turn.)

Our legislative system is also susceptible to a recency bias. Get 51% today and even if you can only keep your majority for the time it takes to vote, the effects will long outlast the majority opinion. In theory, it should be as easy to rescind a law as it was to pass it but in practice, it is remarkably hard to undo a law even in the face of convincing evidence that it is ineffective.

The filibuster is not the only check and balance in our system against the tyranny of the majority and recency bias and it’s not a perfect one but it is an important one. A 61% majority might still impose their will on the remaining 39% but that higher threshold gives the affected minority a chance to raise the stakes and to force additional scrutiny on the debate.

Now there are those who say that the filibuster was a mistake – a minor omission in the procedural rules of the Senate that took on a life of its own. If it was a mistake, it ranks as an outstanding example of serendipity. It subtly encourages one arm of the government to be more deliberative and circumspect in their aims.

I will concede, however, that some of the procedural rules changes within the Senate make it easier to use than was historically the case. In particular, when the Senate allowed “tracking” in early 1960s, the connection between the objection and visible debate was broken. Jimmy Stewart in Mr Smith Goes to Washington is no more. Under the current rules, a Senator lodges a procedural filibuster, the bill is tabled and the Senate moves on to other business. No dramatic and colorful endurance exercises on the floor. No pain at all, either for the Senator doing the filibustering or for his peers who should be listening to it. Perhaps they should feel some pain though. It might encourage them to actually address the underlying issues instead of adopting waiting games and back-room deals for votes. A little bit of pain and a lot of visibility might might put some skin back in the game. It might return the filibuster to the status it once held – an important and special legislative tactic to be used only when truly needed.

Either way, it remains an invaluable protection for the rights of the minority.