the Ronosphere

Tax Rhetoric: Convenient Diversion or Social Inequality Exposed?

2012-01-29T11:14:00.000-06:00

Clearly the ‘wealthy’ are not ‘paying their fair share,’ as the President and the Occupy Movement (aided by CNN, NPR, and even Fox News) attests. The president also implied that Warren Buffet (Forbes 3rd richest individual) pays less than his secretary. They must do more.

Really? So who does pay taxes in the US, and how much? What if I were to tell you that of the 1% of highest income earners in the US paid 36.72% of all taxes in 2009 (the last year for which statistics have been published). In other words more than 1/3 of all taxes collected from individuals came from just 1% of ALL income earners. The source? Your Internal Revenue Service.

For the impatient or busy among you, the bottom line is this: The pressing political issue in this election year is not about inequality, or fairness, - its about whether we believe that granting increasing economic power to the Federal Government, at the cost of the actual engines of economic growth, non-governmental enterprise, will create the kind of society we each want. If we don’t arrest federal spending, the result must be higher taxes on individuals and businesses across all incomes, and increased interest payments on Federal debt. All of which is is then unavailable to create productive jobs - jobs that expand the economy.

___

Ok for those of you still hanging in there: Who really pays taxes?

Using the IRS data above, the Tax Foundation breaks down the average tax rate that applied to all individual tax payers as follows:

Top Percentile (% of top taxpayers by income level)	Share of Total Adjusted Gross Income	Share of Total Individual Taxes Paid	Taxes as Percentage of Earnings (Effective Average Tax Rate)	Income Above
1%	16.90%	36.70%	24%	$343,927
5%	31.70%	58.70%	20%	154,643
10%	43.20%	70.50%	18%	112,124
25%	65.80%	87.30%	15%	66,193
50%	86.50%	97.70%	12.50%	$32,923

According to the IRS, the top 1% on average pay the highest effective tax rate of 24% on their earnings, Mitt Romney and Warren Buffet notwithstanding. They also pay over 36% of ALL taxes. The next highest group, above $154,000/yr (top 5%), excluding the top 1%, pay an additional 22% of all taxes collected.

The top 5% of income earners in total pay almost 60% of all of the total individual taxes collected.

Think about this. 5% of all income earners pay 58.7% of all individual federal taxes collected. This means that of all tax payers (the 50% of us who actually pay federal tax) - the top 5% pay at least 1.5 times as much as a percentage of their income as do the rest of us (or any of us) already. And let's not overlook the fact that almost 50% of income earners now pay no federal income tax whatsoever.

The chart above tells us that the top 1% ($343K+) earn almost 17% of the total income, but pay 37% of all taxes. The top 5% ($154K) earn almost 32% of the total, but pay close to 60% of all taxes. The top 25% ($66K/yr and up) earn about 66% of all individual income, and pay about 88% of all taxes collected. This means that 75% of all taxpayers, earning less than that $66K/yr, pay less than 12% of all taxes. And the tax system is not progressive enough?

The populist and underlying assumption about taxing higher income earners is simple: their income is the fruit of ill-gotten gain, and therefore those ‘earning’ it don’t deserve it. It should be therefore surrendered to the government, or at least as much as the state can get away with taking. If this unspoken assumption isn’t class warfare - I don’t know what is.

If you consider the exponential increase in federal spending and the deficits it represents - if you think confiscatory taxation will stop with the top 1%, or %5%, or 10% - think again. Out of control Federal spending, as illustrated by the St. Louis Federal Reserve chart below tells us only one thing: we either arrest and cut federal spending, or divert more and more from the wealth and job producing economy, to one that exists only on the backs of the productive. In the end, it will ultimately affect all taxpayers.

We can discuss and argue about the roles of republican and democrat regimes in the current situation. But it is clear that Federal spending was on a steady and accelerating course before Obama took office. Since then, both parties have joined hands to enact both the largest federal bail-outs and the most wide sweeping entitlement (Obamacare) in US history. Each have created huge liabilities from which there are only one of two courses: radically spending cuts and then allowing we the people to rebuild and clean up the mess; or rely on an increasingly powerful federal government to mold and shape our economic and personal lives.

This is an election year. The situation is not hopeless. We either support candidates who are committed to arresting uncontrolled spending, or we give up and accept an inevitable Grecian winter. The choice is ours. The time is now. Study your candidates, local, statewide, and national. Make a decision, vote. It won't be perfect, it probably won't be popular. But at least you will have stood up to be counted as one who has said, 'Enough!'

Cheers!

~r

References:

IRS Individual Statistical Tables by Tax Rate and Income Percentile

Federal Reserve Bank of St. Louis

Intellectual Takeout

Tax Foundation

Upgrading early 2008 MacBook Pro with SSD

2011-08-15T10:54:00.003-05:00

My early 2008 (non-unibody) Mac Book Pro came off of Apple Care support this summer. Normally I would buy a new machine, and retire the three year old workhorse to the family depot. A European vacation and my daughter leaving for university have put a pinch on the budget, so I opted for an upgrade instead.

I’ve installed a Crucial 256GB m4 SSD to replace the 200MB original SATA drive. I will install an MCE Optibay drive in place of my existing SuperDrive (DVD), and put the SuperDrive into an external housing for the infrequent times I need to use it. The Opti-Bay will let me run a local time machine and store my various and sundry VMWare images and other encrypted DMG’s housing various working files.

Invaluable were Damieng’s blog covering his experience, and iFixit’s replacement guide showing how to do it. Also required is either Mac OS X 10.6.8 or the new Lion (10.7) release of Mac OS X, coupled with Oskar Groth’s TRIM Enabler 1.2. TRIM enabler patches 10.6.8 or 10.7 to enable the SSD TRIM commands, which are essential for maintaining efficient performance of the SSD. Mac OS X 10.6.8 and 10.7 support TRIM, but only for recognized Apple SSD’s. TRIM enabler removes the restriction and promises long and happy life for your SSD.

Results
Boot times are significantly faster and launch times for apps seem almost instantaneous. Whereas Lotus Notes used to take up to 2 minutes to mount its data drive (encrypted sparse bundle) and launch the app. Its ready to rock in less than 10 seconds now. Login is instantaneous, and Safari seems significantly snappier then when it was using a hard drive for caching. Low latency seems like no latency in comparison. I can’t imagine getting a new Mac without and SSD as its primary drive.

Its important if not useful to note that the Crucial M4 is probably overkill for this machine. Its second generation SATA II native interface at 6Gb/s is 4 times faster than my early 2008 MacBook Pro’s SATA 1 interface that runs at a measly 1.5Gb/s. Nonetheless, my already snappy if old MacBook Pro now seems lightning fast. It’s cooler, lighter, quieter, and less power hungry than the stock 200GB drive.

Bottom line
Upgrading to SSD was a good investment to extend the life of my MacBook Pro, and create a computing environment more suited to my current needs. If I get another 2 years our of this machine, I’ll consider it an excellent investment.

I’m now running OS X Lion (10.7) - the jury’s still out. It seems grayer and more stoic than the previous felines it succeeds.

Tools
Make sure you have the proper tools for the job. The non-unibody Mac’s have a confounding array of screws in different sizes, both Torx and Phillips head. And the drive replacement requires the use of a ‘spudger’ to gently separate a delicate ribbon cable from the drive on which it’s glued. You need a spudger, a jeweler’s phillips head screwdriver, and a torx driver. I got mine from Amazon. I also recommend having 5 small cups handy into which you'll put the various types of screws as you’re following iFixit’s directions. Guessing which go where during reassembly will be a bear otherwise.

Manifest

How To Sites

PS - DO Read Damien Guard’s blogs for additional performance enhancing tips for SSD use!

Cheers!

~r

Conservative Constitutionalist - Justice Ruth Bader Ginsburg

2011-05-26T11:26:00.002-05:00

It is with no small amount of trepidation, of which I’ll explain shortly, I find myself siding with one of the most ‘liberal’ justice’s conservative defense of the 4th amendment in ‘Kentucky v. King,’ decided in this week’s Supreme Court docket.

Ruth Bader Ginsburg, with whom I couldn’t imagine myself agreeing, this week issued the sole dissent to the Court’s landmark decision concerning warrantless searches pursuant to the doctrine of ‘exigent circumstances.’

Ginsburg cited Brigham City v Stuart, 547 U. S. 398, 403 (2006) which defines “exigent’ circumstances [as] “when there is an imminent risk of death or serious injury, or danger that evidence will be immediately destroyed, or that a suspect will escape.”

The majority opinion hinged on the ‘danger that evidence will be immediately destroyed’ and the extent to which the officers in the case ‘caused’ the circumstances by loudly banging on the door of the residence.

If the police had probable cause and could convince a judge of the same, prudence suggests they wait and make sure they have the warrant before provoking ‘exigent’ circumstances. The evidence suggests they could have done so, but failed to do so.

The 4th amendment declares our right to be secure in our persons, houses, papers, and effects, against unreasonable searches and seizures. The court, in favoring law enforcement against what after the fact were shown to be criminals, has given the state yet more power against all individuals, diminishing the rights of all in order to prevail against a few.

Justice Ginsburg’s well reasoned dissent from the majority opinion is the conservative opinion - conserving the principle embodied in the 4th Amendment of the Bill of Rights of protecting the individual against the overwhelming power for the state.

Justice Ruth Bader Ginsburg, a conservative constitutionalist. Who woulda thunk it?

Is anyone listenting?

2011-03-15T21:51:00.009-05:00

If you watch British programming, and you pay attention - you’ll note that rarely do the characters interrupt each other.

We Americans, on the other hand, don’t think we’re communicating if we’re not interrupting. Count how many times within a 10 minute period during your next business meeting somebody interrupt or talks over someone else. You may be surprised.

My mother was English. I don’t remember ever interrupting either my mother or father at the dinner table. (Then again I don’t remember many of the conversations.) But I do remember the driving need to say something, alas, at the expense of someone who hadn’t completed their thought. Its astonishing the amount of ‘over-speaking’ that occurs in every day business meetings. I regret to say that while I’m learning (still) to wait my turn - I interrupt more than, well, more than I like.

So what?

Ever wonder why we like to text, SMS, chat, or zing one another? Walking my dog Kairo this evening, I realized that I text because I can complete a thought, a message, a word - without interruption. I call someone on the phone when I want to elicit some information - when I ask a question and let the respondent riff, guided by a prod here and there, to get what I ‘came’ for. But if I call to share some happening or idea, actually having a conversation with someone is attended by the risk that I will be interrupted. If I want to convey a particular idea - the fascist in me wants to put it all out there without interruption - without having to navigate a conversational cadence that isn’t conducive to my objective. But maybe I'm missing the point.

I sometimes wish that I were more British. Raised in public school with public school manners. Everyone speaking their turn, completing their thought - everyone knowing they’d be heard. I think they call it ‘active listening.’ Most people just call it the art of conversation.

We text and email so we can be heard without it, without interruption. What I might like is largely irrelevant. But apparently I am an American - and we seem to do interruption best.

Is anyone listening?

~r

Mac OS X - How I moved Steam's Games from my primary to an alternate drive

2010-12-21T15:07:00.002-06:00

I finally succumbed to my daughter's ravings about the glories of Steam for buying, downloading, and managing one's games. (http://store.steampowered.com). It's a great site - especially with major bundles at 1/2 price. But, I didn’t want Steam’s games consuming large quantities of the primary disk on my MacBook Pro, so I arranged (as follows) a means to keep them on my iOmega firewire drive. Use at your own risk. Your mileage may vary.

On a Mac, Valve’s Steam keeps its downloaded games in the directory

        /Users/{loginName}/Library’Steam/SteamApps

where Login Name is the name of your home directory. Mine is just "ron" - or better yet, the home directory alias ~/ will do the trick

        or simply ~/Library/Steam/SteamApps

I created a Steam directory on my target drive, which is now “/Volumes/Media/Steam”

In order for Steam to be happy with the move of the games to the new storage drive, I had to do three things.

First, I copied the SteamApps directory from the Steam directory in my home file system to the new target drive. Second, I deleted the “SteamApps” directory from its original location. Lastly, I created a symbolic link (not an Apple “Alias”) from the new SteamApps directory on my target drive to the Steam directory on your home file system.

I used the following command to copy the games in SteamApps to my iomega drive:
cp -a ~/Library/“Application Support”/Steam/SteamApps /Volumes/Media/Steam
(Alternatively you can just use finder and drag the SteamApps directory to its new location.)

Next I used finder to navigate to /Volumes/MyMedia/Steam to validate my games had been copied. I then used finder again to navigate to ~/Library/Application Support/Steam and drag the SteamApps folder to the trash.

Lastly, using a terminal window I typed
        ln -sf /Volumes/Media/Steam/SteamApps SteamApps
(again, you can't use apple file aliases here!)

That’s it! I’m now downloading my new games. Steam is happy and running. And I’m not clogging up my primary drive.

Cheers!

~r

David Simpson - a nascent career worth watching.

2010-09-07T15:46:00.000-05:00

David embodies what liberty minded Texan's yearn for in a politician (and rarely believe when they see it) - A soft spoken man who lives what he speaks, and with passion, conviction, and a measure of humility some will not believe. Guilelessness is not naivete. And its written somewhere we will know them by their deeds - David's are worth watching.

The Shifting Landscape of Passport Fraud | STRATFOR

2010-07-19T20:43:00.000-05:00

The Shifting Landscape of Passport Fraud | STRATFOR

Opium and Afghanistan - An Intractable Equation?

2010-03-29T13:05:00.006-05:00

A - US Policy in Afghanistan assumes support of the Afghani population.
B - ~64% of the Afghan population participate in and rely on Opium related agriculture.
C - The Taliban and Al Qaeda rely on Afghan Opium export for much of their funding.

Is there a problem here? The Taliban, Al Qaeda, and the US seem to require the Opium trade to achieve their ends - the first two directly, the latter indirectly through the support of a significant portion of the Afghan population.

According to a report published today by StratFor, Afghanistan produces over 90% of the world's opium supply. It is a $2.3 Billion revenue source and represents a $65 Billion trade by the time it gets to end users - some of whom are presumably pharmaceutical companies (though a small percentage).

According to the World Fact Book, almost 80% of the population is involved in agriculture. The most important crop is Opium. Since the Fact Book doesn't include so-called "illicit" exports - the $ 547 M it cites as legitimate exports, implies that Opium represents 80% of all agricultural export dollars.

Annual Afghani production (of Afghani Opium) : 6000 Tons, 12 M lbs Opium (equivalent to 1.2M lbs Heroin)
Annual economic impact (to Afghanistan): $2.3 B, $191/lb. Opium, ($1,910/lb Heroin), about 20% of Afghanistan's GDP.
Annual global economic impact: $65 B, $5,400 /lb. Opium, ($54,000/lb Heroin)
78% of the population is involved in Agriculture

Afghani's (mainly traffickers) have stockpiled the equivalent of 2 years of demand, creating their own hedge against market fluctuations and a harvest season which runs from December through April.

The US has sidestepped demands for an opium eradication program. Wiping out 20-40% of the Afghan economy isn't seen as a move designed to gain local support for US military action. Perhaps more significant however is that some portion of the approx. $63 B ends up in the hands of the Taliban and Al Qaeda foes of the US.

The sheer profitability of the Opium trade mitigates easy replacement with acceptable cash crops. An admittedly rough comparison of Opium and Corn commodity prices underscores a replacement of the Opium ($191/lb) with the Corn ($0.0375/bushel = $ 0.00535/lb) to be - well, a challenge at least.

If one could ignore world wide demand for Opium and Opium products, then one might ask, if we simply paid $2.3 B/ year to farmers to grow other cash crops instead of Opium could we eliminate (literally) the Al Quaeda and Taliban middle men, the opium crop - and rid the world of 90% of the opium trade?

These numbers of course don't tell the whole story, or reveal the cost in human suffering and public health costs, let alone other, less tangible social costs. The StratFor article reveals that Russia has switched from a major shipment route for Afghani Opium, to a major market for Opium products. Vladimir Putin is encouraging eradication as a solution to his country's increasing heroin addiction problem. In the current phase of US/Afghani operations - the US is not listening very closely.

Until something is changed in the equation above, or its assumptions, I have to conclude that Afghanistan will remain an intractable quagmire.

That said - I have no doubt that God has a different equation in mind, a different set of principles than that of our respective national interests. I only pray that we can perceive and act upon it.

Polls or Votes? You really do decide!

2010-03-22T14:27:00.001-05:00

The March 17th Gallup Poll provides the following question and answer:

With yesterday's 219/214 vote on the reconciliation bill, narrowly passing the House - is the opinion of the American people really that important anymore? With TARP spending exceeding $740 billion - what's a measly $940 billion over 10 years? Perhaps November's election will tell us.

Now polls are just that, and not to be confused with elections. Last week's machinations are just another reminder that the panic begun in the late summer of 2007 has yet to give way to rational and principled governmental action. We appear to be spending our future on the fears of the present, and socializing 1/6 of the largest economy on the planet.

The tide will change - perhaps it already has. If so, Surfs Up! There's an election in November - its time to send a meaningful message. This is likely to be the largest off-year election in recent memory. I hope you'll join me in voting your opinion, and not leave Gallup, Zogbe, and the rest to speak for us.

The democrat leadership are hoping that we, democrat and republican constituencies alike have short memories. They may be short - but not that short.

Seven months and counting down . . .

Cheers!

~r

Stratfor: Using Intelligence from the Al-Mabough Hit

2010-03-08T19:27:00.001-06:00

By Fred Burton and Ben West

The assassination of senior Hamas militant leader Mahmoud al-Mabhouh on Jan. 19 is still generating a tremendous amount of discussion and speculation some six weeks after the fact. Dubai's police force has been steadily releasing new information almost on a daily basis, which has been driving the news cycle and keeping the story in the media spotlight. The most astounding release so far has been nearly 30 minutes of surveillance camera footage that depicts portions of a period spanning the arrival of the assassination team in Dubai, surveillance of al-Mabhouh, and the killing and the exfiltration of the team some 22 hours later.

By last count, Dubai police claim to have identified some 30 people suspected of involvement in the assassination; approximately 17 have been convincingly tied to the operation through video footage either as surveillants, managers or assassins, with the rest having only tenuous connections based on information released by the Dubai police. In any case, the operation certainly was elaborate and required the resources and planning of a highly organized agency, one most likely working for a nation-state.

Pre-Operation

While the 22-hour period depicted in the video showcased the tactical capabilities of the various teams, it hardly tells the whole story. In order to pinpoint the location of al-Mabhouh on the day of his killing, the organization responsible for this operation would have had to have tracked al-Mabhouh for months, if not years. This can be done in three ways: technical surveillance, utilization of human sources and physical surveillance.

Technical surveillance of al-Mabhouh would include monitoring his e-mail, telephone calls and other forms of electronic communications such as online credit-card transactions and travel reservations. This could reveal his physical location and future plans, which would allow the assassination team to anticipate his location and prepare well ahead of time. With such a large team involved in the assassination, careful coordination and planned movements would have been required to ensure that all members were in place without attracting attention.

But technical surveillance has limitations. An experienced operative like al-Mabhouh (who had been the target of two previous assassination attempts in as many years) would most likely have taken precautions that would have limited his electronic visibility. The operational team likely used human sources with close ties to al-Mabhouh who could corroborate the information and possibly influence the target's movements, putting him in place for the operation. Human sources could have included al-Mabhouh's colleagues within Hamas or a member of a rival group such as Fatah. (Three Palestinians suspected of being members of Fatah were arrested by Dubai authorities in connection with the assassination, indicating that the group may have provided human intelligence to the organization responsible for al-Mabhouh's assassination.) Other people could have been recruited using a number of incentives (including cash) without their knowing the consequences of their assistance. Both the technical and human intelligence operations would have been run by intelligence officers operating abroad and at locations separate from the operational team.

According to Dubai police, physical surveillance was conducted by members of the operational team during al-Mabhouh's previous trips to the United Arab Emirates. Physical surveillance is a critical part of any effective assault (whether it's a clandestine intelligence operation or a car-jacking) because it gives the operatives an opportunity to become familiar with their surroundings and recognize their target in his or her "natural" environment.

Once all this homework was done to establish al-Mabhouh's normal routines and determine his approximate location and duration of his stay in Dubai, the intelligence-collection process moved into the deployment phase and an operational team was sent into action.

The Operation

Prior to Mabhouh's arrival, surveillance teams set up in the airport and at different hotels to make sure they could obtain a visual confirmation of their target. Based on their intelligence of his prior trips to Dubai, planners placed teams in two hotels to wait for al-Mabhouh approximately an hour before his arrival. They also had a surveillance team waiting for him at the airport to follow him as soon as he entered the country and report his movements to the rest of the team. While it wasn't captured on video, we suspect that a mobile surveillance group tracked al-Mabhouh from the airport by car. To help ensure a successful outcome, the operational team used overwhelming force to prevent the target from ever seeing the same face twice. When it was established that al-Mabhouh was staying at the Al Bustan Rotana, the team responded by abandoning their other posts and directing their focus to that hotel.

Once al-Mabhouh was identified, the team locked on to him at the hotel and started initiating further steps in the operation. The first surveillance team watched al-Mabhouh register at the front desk and then followed him to his room, noting the target's specific room number. This was relayed to other members of the team, who then placed a reservation for the room across the hall from al-Mabhouh, which gave them direct access to their target. The selection of the room is very interesting for two reasons. First, it was directly across the hall from al-Mabhouh's room, giving the team a perfect spot from which to monitor his movements. Second, the room was just behind the video camera for that floor and the camera was trained on the emergency stairwell exit, which allowed the assassination team to carry out the attack on his room without being filmed.

Meanwhile, down in the hotel lobby, surveillance teams were rotating to monitor the target's movements in and out of the hotel. At one point, a surveillant is seen following al-Mabhouh out to the street to relay by cell phone the type of vehicle he had entered. These surveillants, operating in teams of two, used disguises such as hats, sunglasses, beards and work-out gear to establish a cover for action and better conceal their identities. While many members of the operational team were identified on closed-circuit television (CCTV), hats and sunglasses helped distort their images and reduce the already low risk of being recognized by the target or any protective team during the operation.

Another necessity in any operation like this is communications. Surveillance video of the team involved in this operation shows them using cell phones to send text messages and talk to other members of the team. According to reports from Dubai police, the cell phones used in the operation were dialed to an Austrian number, likely the operations and support center for the team on the ground and any others involved in the operation. This might have been an open conference line into which all members of the operational team could dial to monitor the movement of their target. It is unlikely that the center was actually in Austria; it probably used a proxy phone line to mask its true physical location.

Assassination and Exfiltration

At approximately 8:30 p.m. on Jan. 19, after al-Mabhouh returned to his hotel room from a meeting, the assassination team moved in. It was important to carry out the killing at a time and in a manner that would give the team the maximum window of opportunity. They suspected that al-Mabhouh was in for the night, which meant that nobody would miss him until early the following afternoon, giving the team ample time to flee the country. The team carried out the assassination smoothly, with video surveillance showing only two operatives casually talking outside the elevator (a cover for monitoring the hall for possible distractions) -- in other words, nothing out of the ordinary. The assassination team members also exhibited no unusual behavior when they departed the scene. Demeanor is extremely important, and the ability of the team to act calmly and naturally and not catch the attention of security guards monitoring CCTV ensured that the act remained a secret until hotel cleaning staff found the body more than 17 hours after the entire team had departed Dubai.

The assassination team also killed al-Mabhouh in a way that apparently confounded medical examiners trying to determine the cause of death, delaying the announcement of a criminal case for nine days. This delay gave the operational team ample time to cover its tracks, possibly by using third- and fourth-country border crossings, additional false identities and safe-houses, making it much harder for Dubai authorities to track team members to their ultimate destinations. This confusion appears to have been created by the use of a muscle relaxant called succinylcholine (also known as Suxamethonium), which, if used in large enough quantities, can cause the heart to stop, making it appear that the victim died of cardiac arrest. The drug also has a very short half-life, meaning that traces would degenerate and virtually disappear shortly after injection, making it ideal for covert operations such as this one.

The team was not able to pull off the operation with complete anonymity -- it is virtually impossible to operate in a modern environment without leaving some kind of electronic trace. The Dubai police were able to use video surveillance from the airport, hotels and a nearby shopping center to trace back the movements of the operatives and establish their identities according to the passports that they used. These later proved to be fraudulent passports from the United Kingdom, Ireland, Germany and France -- but they were extremely well-made fraudulent passports that were discovered later, only after video surveillance prompted closer scrutiny; customs officials were unable to detect this when the operatives were arriving or departing. Moreover, the credit cards used by several members of the operation team were linked to a company called Payoneer. The company's CEO is a former member of Israel Defense Forces special operations, and Payoneer has financial backing from a company based in Israel.

Dubai police have announced that they retrieved DNA evidence from at least one of the members on the assassination team and fingerprints from several others, giving authorities pieces of evidence that are unalterable, unlike a passport. However, DNA evidence is only helpful when it can be compared against an exemplar. If Dubai police are unable to find a match to the DNA sample or a fingerprint, then these clues will offer little immediate help.

The passports also provide little immediate help in terms of tracking down the suspects. The discovery that fraudulent British, Irish, German and French passports were used has created a diplomatic problem for Israel (Mossad is understandably at the top of the list of suspects), which raises the profile of the operation considerably. This is certainly not what a clandestine operation is supposed to do. Although the operatives will probably never be found and handed over to UAE authorities, the fact that so many details of the assassination have been made public jeopardizes the anonymity that is supposed to surround this kind of operation.

Potential Consequences

Al-Mabhouh was hardly a likable character. As a senior Hamas military commander, arms smuggler and liaison to Iran, he was already on the terrorist watch lists in the countries that have complained about the use of fraudulent passports. Public indignation is a necessary and expected reaction from these countries to save diplomatic face, but when it comes down to it, there would be few incentives to seriously punish Israel, if it indeed sponsored the hit. The police of Dubai and the United Arab Emirates, rightfully frustrated that they are tasked with solving an unsolvable case, will still probably not miss al-Mabhouh. Their efforts to stir up outrage over the assassination are likely fueled by their desire to save face in the Arab world, where the Palestinian cause is of high rhetorical importance but little strategic importance.

The fact is that the high level of complexity involved in this assassination, along with the smoothness with which it was carried out, is evidence that the operation was undertaken by an elite covert force, the likes of which could only be sponsored by a nation-state. The ability to conduct preliminary intelligence collection, to muster a large and coordinated team of skilled operatives, to fabricate passports to an exacting degree, to successfully exfiltrate all members of the team -- all of this requires a significant and well-funded effort that, we believe, exceeds the current capabilities of any non-state terrorist group. It is worth noting here that the most impressive aspect of the operation was the team's tradecraft and demeanor. All the members of this team were professionals.

Indeed, with so much time having already elapsed, and if the operation was sponsored by a nation-state, it is highly improbable that any of the operatives involved will ever be caught. However, countries around the world are offering their assistance in the case, including the United Kingdom, the United States, Canada and Australia. Few officials from these countries actually believe any of the operatives will be apprehended, but that is not the real reason to participate in the investigation. What officials are really looking for are the granular details of how this group of assassins and surveillants operated. These details are extremely valuable in ongoing counterintelligence efforts by countries to thwart foreign intelligence agencies operating on their home turf. The information can provide clues to past and future cases, and it can be used to build databases on covert operatives, so that if any of these people show up unexpectedly at an airport, hotel or embassy in the United Kingdom, the United States, Canada, Australia or elsewhere, the alarms can be sounded more quickly.

This report may be forwarded or republished on your website with attribution to www.stratfor.com.

Copyright 2010 Stratfor.

Stratfor: General Aviation: A Reminder of Vulnerability

2010-02-24T12:23:00.002-06:00

(Ron's Note: I find Stratfor's analysis and perspective a refreshing alternative to the ever shrill and adrenaline charged agitation of the commercial media. Many of my readers agree with me. I hope you will, too.)

By Scott Stewart

On Feb. 18, 2010, Joseph Andrew Stack flew his single-engine airplane into a seven-story office building in northwest Austin, Texas. The building housed an office of the Internal Revenue Service (IRS), along with several other tenants. According to a statement he posted to the Internet before taking off on his suicide flight, Stack intentionally targeted the IRS due to a long history of problems he had had with the agency. In the statement, Stack said he hoped that his action would cause "American zombies to wake up and revolt" against the government. Stack also expressed his hope that his message of violence would be one the government could not ignore.

Stack's use of violence to attempt to foster an uprising against the government and to alter government policy means that his attack against the IRS building was an act of domestic terrorism. (Terrorism is defined by the intent of the actor, not the effectiveness of the attack, a topic we will discuss in more detail at another time.) While Stack's terrorist attack ultimately will fail to attain either of his stated goals, he did succeed in killing himself and one victim and injuring some 13 other people. The fire resulting from the crash also caused extensive damage to the building. We have received credible reports that Stack had removed some of the seats from his aircraft and loaded a drum of aviation fuel inside the passenger compartment of his plane. This extra fuel may account for the extensive fire damage at the scene. According to STRATFOR analysts present at the scene, it appears that Stack's plane struck the concrete slab between floors. Had the aircraft not struck the slab head-on, it may have been able to penetrate the building more deeply, and this deeper penetration could have resulted in even more damage and a higher casualty count.

For many years now, STRATFOR has discussed the security vulnerability posed by general aviation and cargo aircraft. Stack's attack against the IRS building using his private plane provides a vivid reminder of this vulnerability.

Framing the Threat

As we have previously noted, jihadists, including al Qaeda's central core, have long had a fixation on attacks involving aircraft. This focus on aviation-related attacks includes not only attacks designed to take down passenger aircraft, like Operation Bojinka, the 2001 shoe bomb plot and the Heathrow liquid explosives plot, but also attacks that use aircraft as weapons, as evidenced by the 9/11 strikes and in the thwarted Library Tower plot, among others -- aircraft as human-guided cruise missiles, if you will. These aviation-focused plots are not just something from the past, or something confined just to the al Qaeda core leadership. The Christmas Day attempt to destroy Northwest Airlines Flight 253 demonstrated that the threat is current, and that at least some al Qaeda franchise groups (al Qaeda in the Arabian Peninsula, or AQAP, in this case) are also interested in aviation-focused plots.

Jihadists are not the only ones interested. Over the past several decades, a number of other actors have also conducted attacks against aviation-related targets, including such diverse actors as Palestinian, Lebanese, Japanese and Sikh militant groups, Colombian cartels, and the Libyan and North Korean intelligence services. Stack and people like Theodore Kaczynski, the "Unabomber," demonstrate that domestic terrorists can also view aviation as a target and a weapon. (UNABOM is an FBI acronym that stood for university and airline bomber, the targets Kaczynski initially focused on.)

The long history of airline hijackings and attacks has resulted in increased screening of airline passengers and an increase in the security measures afforded to the commercial aviation sector. These security measures have largely been reactive, and in spite of them, serious gaps in airline security persist.

Now, while some security vulnerabilities do exist, it is our belief that any future plans involving aircraft as weapons will be less likely to incorporate highly fueled commercial airliners, like those used on 9/11. In addition to newer federal security measures, such as expansion of the air marshal program, hardened cockpits and programs to allow pilots to carry firearms, there has also been a substantial psychological shift among airline crews and the traveling public. As Flight 93 demonstrated on Sept. 11, 2001, the new "let's roll" mentality of passengers and aircrews will make it more difficult for malefactors to gain control of a passenger aircraft without a fight. Before 9/11, crews (and even law enforcement officers traveling while armed) were taught to comply with hijackers' demands and not to openly confront them. The expectation was that a hijacked aircraft and passengers would be held hostage, not used as a weapon killing all aboard. The do-not-resist paradigm is long gone, and most attacks involving aircraft since 9/11 have focused on destroying aircraft in flight rather than on commandeering aircraft for use as weapons.

Paradigm Shift

This change in the security paradigm has altered the ability of jihadists and other militants to plan certain types of terrorist attacks, but that is just one half of the repetitive cycle. As security measures change, those planning attacks come up with new and innovative ways to counter the changes, whether they involve physical security measures or security procedures. Then when the new attack methods are revealed, security adjusts accordingly. For example, the shoe bomb attempt resulted in the screening of footwear. AQAP shifted the attack paradigm by concealing explosives in an operative's underwear. In the case of planners wanting to use aircraft as human-guided cruise missiles, one way the attack paradigm can be shifted is by turning their efforts away from passenger aircraft toward general aviation and cargo aircraft.

Most security upgrades in the aviation security realm have been focused on commercial air travel. While some general aviation terminals (referred to as FBOs, short for fixed base operators) have increased security in the post 9/11 world, like the Signature FBO at Boston's Logan Airport, which has walk-through metal detectors for crews and passengers and uses X-ray machines to screen luggage, many FBOs have very little security. Some smaller airports like the one used by Stack have little or no staffing at all, and pilots and visitors can come and go as they please. There are no security checks and the pilot only has to make a radio call before taking off.

This difference in FBO security stems from the fact that FBOs are owned by a wide variety of operators. Some are owned by private for-profit companies, while others are run by a city or county authority and some are even operated by the state government. The bottom line is that it is very easy for someone who is a pilot to show up at an airport and rent an aircraft. All he or she has to do is fill out a few forms, present a license and logbook and go for a check ride. Mohamed Atta, the commander of the 9/11 operation, was a pilot, and one of the great mysteries after his death was the reason behind some of his general aviation activity. It is known that he rented small aircraft in cities like Miami and Atlanta, but it is not known what he did while aloft in them. It is possible that he was just honing his skills as a pilot, but there are concerns that he may also have been conducting aerial surveillance of potential targets.

But general aviation doesn't just encompass small, single-engine airplanes like the ones owned by Stack and rented by Atta. Anyone with the money can charter a private passenger aircraft from a company such as NetJets or Flexjet, or even a private cargo aircraft. The size of these aircraft can vary from small Learjets to large Boeing Business Jets (a modified 737) and 747 cargo aircraft. In many places it is even possible for passengers to board a charter flight with no security checks of themselves or their baggage. In such a scenario, it would not be difficult for individuals such as Atta and his colleagues to take control of an aircraft from the crew -- especially if the crew is unarmed.

As seen on 9/11, or even in the Stack case, there is very little that can be done to stop an airplane flown by a suicidal pilot. The North American Aerospace Defense Command launched two F-16 fighters in response to the Stack incident, but they were not dispatched until after the incident was over. Only in the case where there is restricted airspace that is constantly patrolled is there much hope of military aircraft responding in time to stop such an attack. The 1994 incident in which an unemployed Maryland truck driver crashed a stolen Cessna into the South Lawn of the White House highlighted how there is very little that can be done to protect a building from this type of threat -- and the level of security at the White House in 1994 was far greater than the security afforded to almost any other building today. The difficulty of protecting buildings from aerial attack demonstrates the need to secure aircraft so they cannot be used in such a manner.

The bottom line, however, is that it would be prohibitively expensive to totally lock down all airports and aircraft nationwide in an effort to prevent them from being used in attacks like the one conducted by Stack. In the face of this reality, the best that can be hoped for is to keep the largest (and therefore most destructive) aircraft safe from this sort of misuse.

There is currently no one authority, like the Transportation Safety Commission, that controls security at all the small airports and FBOs. In the absence of any policy or regulations tightening the security at these facilities and requiring the screening of charter aircraft passengers, the best defense against the threat posed by this vulnerability will be to educate those in the FBO and charter aircraft business and encourage them to exercise a heightened state of situational awareness.

This report may be forwarded or republished on your website with attribution to www.stratfor.com.

Copyright 2010 Stratfor.

Stratfor: The Utility of Assassination

2010-02-22T18:02:00.006-06:00

Republished with permission of www.stratfor.com.

The apparent Israeli assassination of a Hamas operative in the United Arab Emirates turned into a bizarre event replete with numerous fraudulent passports, alleged Israeli operatives caught on videotape and international outrage (much of it feigned), more over the use of fraudulent passports than over the operative's death. If we are to believe the media, it took nearly 20 people and an international incident to kill him.

STRATFOR has written on the details of the killing as we have learned of them, but we see this as an occasion to address a broader question: the role of assassination in international politics.

Defining Assassination
We should begin by defining what we mean by assassination. It is the killing of a particular individual for political purposes. It differs from the killing of a spouse's lover because it is political. It differs from the killing of a soldier on the battlefield in that the soldier is anonymous and is not killed because of who he is but because of the army he is serving in.

The question of assassination, in the current jargon "targeted killing," raises the issue of its purpose. Apart from malice and revenge, as in Abraham Lincoln's assassination, the purpose of assassination is to achieve a particular political end by weakening an enemy in some way. Thus, the killing of Adm. Isoroku Yamamoto by the Americans in World War II was a targeted killing, an assassination. His movements were known, and the Americans had the opportunity to kill him. Killing an incompetent commander would be counterproductive, but Yamamoto was a superb strategist, without peer in the Japanese navy. Killing him would weaken Japan's war effort, or at least have a reasonable chance of doing so. With all the others dying around him in the midst of war, the moral choice did not seem complex then, nor does it seem complex now.

Such occasions rarely occur on the battlefield. There are few commanders who could not readily be replaced, and perhaps even replaced by someone more able. In any event, it is difficult to locate enemy commanders, meaning the opportunity to kill them rarely arises. And as commanders ask their troops to risk their lives, they have no moral claim to immunity from danger.

Now, take another case. Assume that the leader of a country were singular and irreplaceable, something very few are. But think of Fidel Castro, whose central role in the Cuban government was undeniable. Assume that he is the enemy of another country like the United States. It is an unofficial hostility -- no war has been declared -- but a very real one nonetheless. Is it illegitimate to try to kill such a leader in a bid to destroy his regime? Let's move that question to Adolph Hitler, the gold standard of evil. Would it be inappropriate to have sought to kill him in 1938 based on the type of regime he had created and what he said that he would do with it?

If the position is that killing Hitler would have been immoral, then we have a serious question about the moral standards being used. The more complex case is Castro. He is certainly no Hitler, but neither is he the romantic democratic revolutionary some have painted him as being. But if it is legitimate to kill Castro, then where is the line drawn? Who is it not legitimate to kill?

As with Yamamoto, the number of instances in which killing a political leader would make a difference in policy or in the regime's strength is extremely limited. In most cases, the argument against assassination is not moral but practical: It would make no difference if the target in question lives or dies. But where it would make a difference, the moral argument becomes difficult. If we establish that Hitler was a legitimate target, than we have established that there is not an absolute ban on political assassination. The question is what the threshold must be.

All of this is a preface to the killing in the United Arab Emirates, because that represents a third case. Since the rise of the modern intelligence apparatus, covert arms have frequently been attached to them. The nation-states of the 20th century all had intelligence organizations. These organizations carried out a range of clandestine operations beyond collecting intelligence, from supplying weapons to friendly political groups in foreign countries to overthrowing regimes to underwriting terrorist operations.

During the latter half of the century, nonstate-based covert organizations were developed. As European empires collapsed, political movements wishing to take control created covert warfare apparatuses to force the Europeans out or defeat political competitors. Israel's state-based intelligence system emerged from one created before the Jewish state's independence. The various Palestinian factions created their own. Beyond this, of course, groups like al Qaeda created their own covert capabilities, against which the United States has arrayed its own massive covert capability.

Assassinations Today
The contemporary reality is not a battlefield on which a Yamamoto might be singled out or a charismatic political leader whose death might destroy his regime. Rather, a great deal of contemporary international politics and warfare is built around these covert capabilities. In the case of Hamas, the mission of these covert operations is to secure the resources necessary for Hamas to engage Israeli forces on terms favorable to them, from terror to rocket attacks. For Israel, covert operations exist to shut off resources to Hamas (and other groups), leaving them unable to engage or resist Israel.

Expressed this way, covert warfare makes sense, particularly for the Israelis when they engage the clandestine efforts of Hamas. Hamas is moving covertly to secure resources. Its game is to evade the Israelis. The Israeli goal is to identify and eliminate the covert capability. Hamas is the hunted, Israel the hunter here. Apparently the hunter and hunted met in the United Arab Emirates, and the hunted was killed.

But there are complexities here. First, in warfare, the goal is to render the enemy incapable of resisting. Killing just any group of enemy soldiers is not the point. Indeed, diverting resources to engage the enemy on the margins, leaving the center of gravity of the enemy force untouched, harms far more than it helps. Covert warfare is different from conventional warfare, but the essential question stands: Is the target you are destroying essential to the enemy's ability to fight? And even more important, as the end of all war is political, does defeating this enemy bring you closer to your political goals?

Covert organizations, like armies, are designed to survive attrition. It is expected that operatives will be detected and killed; the system is designed to survive that. The goal of covert warfare is either to penetrate the enemy so deeply, or destroy one or more people so essential to the operation of the group, that the covert organization stops functioning. All covert organizations are designed to stop this from happening.

They achieve this through redundancy and regeneration. After the massacre at the Munich Olympics in 1972, the Israelis mounted an intense covert operation to identify, penetrate and destroy the movement -- called Black September -- that mounted the attack. Black September was not simply a separate movement but a front for various Palestinian factions. Killing those involved with Munich would not paralyze Black September, and destroying Black September did not destroy the Palestinian movement. That movement had redundancy -- the ability to shift new capable people into the roles of those killed -- and therefore could regenerate, training and deploying fresh operatives.

The mission was successfully carried out, but the mission was poorly designed. Like a general using overwhelming force to destroy a marginal element of the enemy army, the Israelis focused their covert capability to destroy elements whose destruction would not give the Israelis what they wanted -- the destruction of the various Palestinian covert capabilities. It might have been politically necessary for the Israeli public, it might have been emotionally satisfying, but the Israeli's enemies weren't broken. Consider that Entebbe occurred in 1976. If Israel's goal in targeting Black September was the suppression of terrorism by Palestinian groups, the assault on one group did not end the threat from other groups.

Therefore, the political ends the Israelis sought were not achieved. The Palestinians did not become weaker. The year 1972 was not the high point of the Palestinian movement politically. It became stronger over time, gaining substantial international legitimacy. If the mission was to break the Palestinian covert apparatus to weaken the Palestinian capability and weaken its political power, the covert war of eliminating specific individuals identified as enemy operatives failed. The operatives very often were killed, but the operation did not yield the desired outcome.

And here lies the real dilemma of assassination. It is extraordinarily rare to identify a person whose death would materially weaken a substantial political movement in some definitive sense -- i.e., where if the person died, then the movement would be finished. This is particularly true for nationalist movements that can draw on a very large pool of people and talent. It is equally hard to reduce a movement quickly enough to destroy the organization's redundancy and regenerative capability. Doing so requires extraordinary intelligence penetration as well as a massive covert effort, so such an effort quickly reveals the penetration and identifies your own operatives.

A single swift, global blow is what is dreamt of. Covert war actually works as a battle of attrition, involving the slow accumulation of intelligence, the organization of the strike, the assassination. At that point, one man is dead, a man whose replacement is undoubtedly already trained. Others are killed, but the critical mass is never reached, and there is no one target who if killed would cause everything to change.

In war there is a terrible tension between the emotions of the public and the cold logic that must drive the general. In covert warfare, there is tremendous emotional satisfaction to the country when it is revealed that someone it regards as not only an enemy, but someone responsible for the deaths of their countryman, has been killed. But the generals or directors of intelligence can't afford this satisfaction. They have limited resources, which must be devoted to achieving their country's political goals and assuring its safety. Those resources have to be used effectively.

There are few Hitlers whose death is morally demanded and might have a practical effect. Most such killings are both morally and practically ambiguous. In covert warfare, even if you concede every moral point about the wickedness of your enemy, you must raise the question as to whether all of your efforts are having any real effect on the enemy in the long run. If they can simply replace the man you killed, while training ten more operatives in the meantime, you have achieved little. If the enemy keeps becoming politically more successful, then the strategy must be re-examined.

We are not writing this as pacifists; we do not believe the killing of enemies is to be avoided. And we certainly do not believe that the morally incoherent strictures of what is called international law should guide any country in protecting itself. What we are addressing here is the effectiveness of assassination in waging covert warfare. Too frequently, it does not, in our mind, represent a successful solution to the military and political threat posed by covert organizations. It might bring an enemy to justice, and it might well disrupt an organization for a while or even render a specific organization untenable. But in the covert wars of the 20th century, the occasions when covert operations -- including assassinations -- achieved the political ends being pursued were rare. That does not mean they never did. It does mean that the utility of assassination as a main part of covert warfare needs to be considered carefully. Assassination is not without cost, and in war, all actions must be evaluated rigorously in terms of cost versus benefit.

This report may be forwarded or republished on your website with attribution to www.stratfor.com.

Copyright 2010 Stratfor.

Visa Security: Getting back to the Basics

2010-02-19T23:12:00.002-06:00

Usually in the STRATFOR Global Security and Intelligence Report, we focus on the tactical details of terrorism and security issues in an effort to explain those issues and place them in perspective for our readers. Occasionally, though, we turn our focus away from the tactical realm in order to examine the bureaucratic processes that shape the way things run in the counterterrorism, counterintelligence and security arena. This look into the struggle by the U.S. government to ensure visa security is one of those analyses.

As STRATFOR has noted for many years now, document-fraud investigations are a very useful weapon in the counterterrorism arsenal. Foreigners who wish to travel to the United States to conduct a terrorist attack must either have a valid passport from their country of citizenship and a valid U.S. visa, or just a valid passport from their home country if they are a citizen of a country that does not require a visa for short-term trips (called visa-waiver countries).

In some early jihadist attacks against the United States, such as the 1993 World Trade Center bombing, the operatives dispatched to conduct the attacks made very clumsy attempts at document fraud. In that case, the two operational commanders dispatched from Afghanistan to conduct the attack arrived at New York's Kennedy Airport after having used photo-substituted passports (passports where the photographs are literally switched) of militants from visa-waiver countries who died while fighting in Afghanistan. Ahmed Ajaj (a Palestinian) used a Swedish passport in the name of Khurram Khan, and Abdul Basit (a Pakistani also known as Ramzi Yousef) used a British passport in the name of Mohamed Azan. Ajaj attempted to enter through U.S. Immigration at Kennedy Airport using the obviously photo-substituted passport and was arrested on the spot. Basit used the altered British passport to board the aircraft in Karachi, Pakistan, but upon arrival in New York he used a fraudulently obtained but genuine Iraqi passport in the name of Ramzi Yousef to claim political asylum and was released pending his asylum hearing.

But the jihadist planners learned from amateurish cases like Ajaj's and that of Ghazi Ibrahim Abu Mezer, a Palestinian who attempted to conduct a suicide attack against the New York subway system. U.S. immigration officials arrested him on three occasions in the Pacific Northwest as he attempted to cross into the United States illegally from Canada. By the Millennium Bomb Plot in late 1999, Ahmed Ressam, an Algerian who initially entered Canada using a photo-substituted French passport, had obtained a genuine Canadian passport using a fraudulent baptismal certificate. He then used that genuine passport to attempt to enter the United States in order to bomb Los Angeles International Airport. Ressam was caught not because of his documentation but because of his demeanor -- and an alert customs inspector prevented him from entering the country.

So by the time the 9/11 attacks occurred, we were seeing groups like al Qaeda preferring to use genuine travel documents rather than altered or counterfeit documents. Indeed, some operatives, such as Ramzi bin al-Shibh, a Yemeni, were unable to obtain U.S. visas and were therefore not permitted to participate in the 9/11 plot. Instead, bin al-Shibh took on a support role, serving as the communications cutout between al Qaeda's operational planner, Khalid Sheikh Mohammed, and al Qaeda's tactical commander for the operation, Mohamed Atta. It is important to note, however, that the 19 9/11 operatives had obtained a large assortment of driver's licenses and state identification cards, many of them fraudulent. Such documents are far easier to obtain than passports.

After the Sept. 11 attacks and the 9/11 Commission report, which shed a great deal of light on the terrorist use of document fraud, the U.S. government increased the attention devoted to immigration fraud and the use of fraudulent travel documents by terrorist suspects. This emphasis on detecting document fraud, along with the widespread adoption of more difficult to counterfeit passports and visas (no document is impossible to counterfeit), has influenced jihadists, who have continued their shift away from the use of fraudulent documents (especially poor quality documents). Indeed, in many post-9/11 attacks directed against the United States we have seen jihadist groups use U.S. citizens (Jose Padilla and Najibullah Zazi), citizens of visa-waiver countries (Richard Reid and Abdulla Ahmed Ali), and other operatives who possess or can obtain valid U.S. visas such as Umar Farouk Abdulmutallab. These operatives are, for the most part, using authentic documents issued in their true identities.

Concerns expressed by the 9/11 Commission over the vulnerability created by the visa-waiver program also prompted the U.S. government to establish the Electronic System for Travel Authorization (ESTA), which is a mandatory program that prescreens visa-waiver travelers, including those transiting through the United States. The ESTA, which became functional in January 2009, requires travelers from visa-waiver countries to apply for travel authorization at least 72 hours prior to travel. This time period permits the U.S. Department of Homeland Security (DHS) to conduct background checks on pending travelers.

Growing Complexity

Counterfeit visas are not as large a problem as they were 20 years ago. Advances in technology have made it very difficult for all but the most high-end document vendors to counterfeit them, and it is often cheaper and easier to obtain an authentic visa by malfeasance -- bribing a consular officer -- than it is to acquire a machine-readable counterfeit visa that will work. Obtaining a genuine U.S. passport or one from a visa-waiver country by using fraudulent breeder documents (driver's licenses and birth certificates, as Ahmed Ressam did) is also cheaper and easier. But in the case of non-visa waiver countries, this shift to the use of genuine identities and identity documents now highlights the need to secure the visa issuance process from fraud and malfeasance.

This shift to genuine-identity documents also means that most visa fraud cases involving potential terrorist operatives are going to be very complex. Rather than relying on obvious flags like false identities, the visa team consisting of clerks, consular officers, visa-fraud coordinators and Diplomatic Security Service (DSS) special agents needs to examine carefully not just the applicant's identity but also his or her story in an attempt to determine if it is legitimate, and if there are any subtle indicators that the applicant has ties to radical groups (like people who lose their passports to disguise travel to places like Pakistan and Yemen). As in many other security programs, however, demeanor is also critically important, and a good investigator can often spot signs of deception during a visa interview (if one is conducted).

If the applicant's documents and story check out, and there are no indicators of radical connections, it is very difficult to determine that an applicant is up to no good unless the U.S. government possesses some sort of intelligence indicating that the person may be involved in such activity. In terms of intelligence, there are a number of different databases, such as the Consular Lookout and Support System (CLASS), the main State Department database and the terrorism-specific Terrorist Identities Datamart Environment (TIDE) system. The databases are checked in order to determine if there is any derogatory information that would preclude a suspect from receiving a visa. These databases allow a number of U.S. government agencies to provide input -- CLASS is tied into the Interagency Border Inspection System (IBIS) -- and they allow these other agencies to have a stake in the visa issuance process. (It must be noted that, like any database, foreign language issues -- such as the many ways to transliterate the name Mohammed into English -- can often complicate the accuracy of visa lookout database entries and checks.)

Today the lookout databases are a far cry from what they were even 15 years ago, when many of the lists were contained on microfiche and checking them was laborious. During the microfiche era, mistakes were easily made, and some officers skipped the step of running the time-consuming name checks on people who did not appear to be potential terrorists. This is what happened in the case of a poor old blind imam who showed up at the U.S. Embassy in Khartoum in 1990 -- and who turned out to be terrorist leader Sheikh Omar Ali Ahmed Abdul-Rahman. As an aside, although Rahman, known as the Blind Sheikh, did receive a U.S. visa, DSS special agents who investigated his case were able to document that he made material false statements on his visa application (such as claiming he had never been arrested) and were therefore able to build a visa fraud case against the Sheikh. The case never proceeded to trial, since the Sheikh was convicted on seditious conspiracy charges and sentenced to life in prison.

The U.S. government's visa fraud investigation specialists are the special agents assigned to the U.S. Department of State's DSS. In much the same way that U.S. Secret Service special agents work to ensure the integrity of the U.S. currency system through investigations of counterfeiting, DSS agents work to ensure the inviolability of U.S. passports and visas by investigating passport and visa fraud. The DSS has long assigned special agents to high fraud-threat countries like Nigeria to investigate passport and visa fraud in conjunction with the post's consular affairs officers. In the Intelligence Reform and Terrorism Prevention Act of 2004, Congress ordered the State Department to establish a visa and passport security program. In response to this legislation, a memorandum of understanding was signed between the Bureau of Consular Affairs and the DSS to establish the Overseas Criminal Investigations Branch (OCI). The purpose of the OCI was to conduct investigations related to illegal passport and visa issuances or use and other investigations at U.S. embassies overseas. A special agent assigned to these duties at an overseas post is referred to as an investigative Assistant Regional Security Officer (or ARSO-I).

While the OCI and the ARSO-I program seemed promising at first, circumstance and bureaucratic hurdles have prevented the program from running to the best of its ability and meeting the expectations of the U.S. Congress.

Bureaucratic Shenanigans

As we've previously noted, there is a powerful element within the State Department that is averse to security and does its best to thwart security programs. DSS special agents refer to these people as Black Dragons. Even when Congress provides clear guidance to the State Department regarding issues of security (e.g., the Omnibus Diplomatic Security and Antiterrorism Act of 1986), the Black Dragons do their best to strangle the programs, and this constant struggle produces discernable boom-and-bust cycles, as Congress provides money for new security programs and the Black Dragons, who consider security counterproductive for diplomacy and armed State Department special agents undiplomatic, use their bureaucratic power to cut off those programs.

Compounding this perennial battle over security funding has been the incredible increase in protective responsibilities that the DSS has had to shoulder since 9/11. The bureau has had to provide a large number of agents to protect U.S. diplomats in places like Afghanistan and Pakistan and even staffed and supervised the protective detail for Afghan President Hamid Karzai for a few years. Two DSS special agents were also killed while protecting the huge number of U.S diplomats assigned to reconstruction efforts in Iraq. One agent was killed in a rocket attack on the U.S. Embassy in Baghdad and the other by a suicide car-bomb attack in Mosul.

The demands of protection and bureaucratic strangulation by the Black Dragons, who have not embraced the concept of the ARSO-I program, has resulted in the OCI program being deployed very slowly. This means that of the 200 positions envisioned and internally programmed by Bureau of Consular Affairs and DSS in 2004, only 50 ARSO-I agents have been assigned to posts abroad as of this writing, and a total of 123 ARSO-I agents are supposed to be deployed by the end of 2011. The other 77 ARSO-I positions were taken away from the OCI program by the department and used to provide more secretarial positions.

In the wake of State Department heel-dragging, other agencies are now seeking to fill the void.

The Vultures Are Circling

In a Feb. 9, 2010, editorial on GovernmentExecutive.com, former DHS Under Secretary for Border and Transportation Security Asa Hutchinson made a pitch for the DHS to become more involved in the visa-security process overseas, and he is pushing for funding more DHS positions at U.S. embassies abroad. To support his case that more DHS officers are needed for visa security, Hutchinson used the case of Umar Farouk Abdulmutallab as an example of why DHS needed a larger presence overseas.

Unfortunately, the Abdulmutallab case had nothing to do with visa fraud, and the presence of a DHS officer at post would certainly not have prevented him from receiving his initial visa. Abdulmutallab was first issued a U.S. visa in 2004, before he was radicalized during his university studies in the United Kingdom from 2005 to 2008, and he qualified for that visa according to the guidelines established by the U.S. government without fraud or deception. Of course, the fact that he came from a prominent Nigerian family certainly helped.

The problem in the Abdulmutallab case was not in the issuance of his visa in 2004. His identity and story checked out. There was no negative information about him in the databases checked for visa applicants. He also traveled to the United States in 2004 and left the country without overstaying his visa, and was not yet listed in any of the lookout databases, so his visa renewal in June 2008 in London was also not surprising.

The real problem in the Abdulmutallab case began when the CIA handled the interview of Abdulmutallab's father when he walked into the embassy in November 2009 to report that his son had become radicalized and that he feared his son was preparing for a suicide mission. The CIA did not share the information gleaned from that interview in a terrorism report cable (TERREP), or with the regional security officer at post or the ARSO-I. (The fact that the CIA, FBI and other agencies have assumed control over the walk-in program in recent years is also a serious problem, but that is a matter to be addressed separately.) Due to that lack of information-sharing, Abdulmutallab's visa was not canceled as it could have and should have been. His name was also not added to the U.S. government's no-fly list.

Again, had there been a DHS officer assigned to the embassy, he would not have been able to do any more than the ARSO-I already assigned to post, since he also would not have received the information from the CIA that would have indicated that Abdulmutallab's visa needed to be revoked.

Once again, information was not shared in a counterterrorism case -- a recurring theme in recent years. And once again the lack of information would have proved deadly had Abdulmutallab's device not malfunctioned. Unfortunately, information-sharing is never facilitated by the addition of layers of bureaucracy. This is the reason why the addition of the huge new bureaucracy called the Office of the Director of National Intelligence has not solved the issue of information-sharing among intelligence agencies.

Hutchinson is correct when he notes that the DHS must go back to basics, but DHS has numerous other domestic programs that it must master the basics of -- things like securing the border, overseeing port and cargo security, interior immigration and customs enforcement and ensuring airline security -- before it should even consider expanding its presence overseas.

Adding another layer of DHS involvement in overseeing visa issuance and investigating visa fraud at diplomatic posts abroad is simply not going to assist in the flow of information in visa cases, whether criminal or terrorist in nature. Having another U.S. law enforcement agency interfacing with the host country police and security agencies regarding visa matters will also serve to cause confusion and hamper efficient information flow. The problem illustrated by the Abdulmutallab case is not that the U.S. government lacks enough agencies operating in overseas posts; the problem is that the myriad agencies already there simply need to return to doing basic things like talking to each other. Getting the ARSO-I program funded and back on track is a basic step necessary to help in securing the visa process, but even that will not be totally effective unless the agencies at post do a better job of basic tasks like coordination and communication.

This report may be forwarded or republished on your website with attribution to www.stratfor.com.

Copyright 2010 Stratfor.

The Meaning of Marijah

2010-02-17T07:24:00.006-06:00

By Kamran Bokhari, Peter Zeihan and Nathan Hughes

On Feb. 13, some 6,000 U.S. Marines, soldiers and Afghan National Army (ANA) troops launched a sustained assault on the town of Marjah in Helmand province. Until this latest offensive, the U.S. and NATO effort in Afghanistan had been constrained by other considerations, most notably Iraq. Western forces viewed the Afghan conflict as a matter of holding the line or pursuing targets of opportunity. But now, armed with larger forces and a new strategy, the war -- the real war -- has begun. The most recent offensive -- dubbed Operation Moshtarak ("Moshtarak" is Dari for "together") -- is the largest joint U.S.-NATO-Afghan operation in history. It also is the first major offensive conducted by the first units deployed as part of the surge of 30,000 troops promised by U.S. President Barack Obama.

The United States originally entered Afghanistan in the aftermath of the Sept. 11 attacks. In those days of fear and fury, American goals could be simply stated: A non-state actor -- al Qaeda -- had attacked the American homeland and needed to be destroyed. Al Qaeda was based in Afghanistan at the invitation of a near-state actor -- the Taliban, which at the time were Afghanistan's de facto governing force. Since the Taliban were unwilling to hand al Qaeda over, the United States attacked. By the end of the year, al Qaeda had relocated to neighboring Pakistan and the Taliban retreated into the arid, mountainous countryside in their southern heartland and began waging a guerrilla conflict. In time, American attention became split between searching for al Qaeda and clashing with the Taliban over control of Afghanistan.

But from the earliest days following 9/11, the White House was eyeing Iraq, and with the Taliban having largely declined combat in the initial invasion, the path seemed clear. The U.S. military and diplomatic focus was shifted, and as the years wore on, the conflict absorbed more and more U.S. troops, even as other issues -- a resurgent Russia and a defiant Iran -- began to demand American attention. All of this and more consumed American bandwidth, and the Afghan conflict melted into the background. The United States maintained its Afghan force in what could accurately be described as a holding action as the bulk of its forces operated elsewhere. That has more or less been the state of affairs for eight years.

That has changed with the series of offensive operations that most recently culminated at Marjah.

Why Marjah? The key is the geography of Afghanistan and the nature of the conflict itself. Most of Afghanistan is custom-made for a guerrilla war. Much of the country is mountainous, encouraging local identities and militias, as well as complicating the task of any foreign military force. The country's aridity discourages dense population centers, making it very easy for irregular combatants to melt into the countryside. Afghanistan lacks navigable rivers or ports, drastically reducing the region's likelihood of developing commerce. No commerce to tax means fewer resources to fund a meaningful government or military and encourages the smuggling of every good imaginable -- and that smuggling provides the perfect funding for guerrillas.

Rooting out insurgents is no simple task. It requires three things:

Massively superior numbers so that occupiers can limit the zones to which the insurgents have easy access.
The support of the locals in order to limit the places that the guerillas can disappear into.
Superior intelligence so that the fight can be consistently taken to the insurgents rather than vice versa.

Without those three things -- and American-led forces in Afghanistan lack all three -- the insurgents can simply take the fight to the occupiers, retreat to rearm and regroup and return again shortly thereafter.

But the insurgents hardly hold all the cards. Guerrilla forces are by their very nature irregular. Their capacity to organize and strike is quite limited, and while they can turn a region into a hellish morass for an opponent, they have great difficulty holding territory -- particularly territory that a regular force chooses to contest. Should they mass into a force that could achieve a major battlefield victory, a regular force -- which is by definition better-funded, -trained, -organized and -armed -- will almost always smash the irregulars. As such, the default guerrilla tactic is to attrit and harass the occupier into giving up and going home. The guerrillas always decline combat in the face of a superior military force only to come back and fight at a time and place of their choosing. Time is always on the guerrilla's side if the regular force is not a local one.

But while the guerrillas don't require basing locations that are as large or as formalized as those required by regular forces, they are still bound by basic economics. They need resources -- money, men and weapons -- to operate. The larger these locations are, the better economies of scale they can achieve and the more effectively they can fight their war.

Marjah is perhaps the quintessential example of a good location from which to base. It is in a region sympathetic to the Taliban; Helmand province is part of the Taliban's heartland. Marjah is very close to Kandahar, Afghanistan's second city, the religious center of the local brand of Islam, the birthplace of the Taliban, and due to the presence of American forces, an excellent target. Helmand alone produces more heroin than any country on the planet, and Marjah is at the center of that trade. By some estimates, this center alone supplies the Taliban with a monthly income of $200,000. And it is defensible: The farmland is crisscrossed with irrigation canals and dotted with mud-brick compounds -- and, given time to prepare, a veritable plague of IEDs.

Simply put, regardless of the Taliban's strategic or tactical goals, Marjah is a critical node in their operations.

The American Strategy
Though operations have approached Marjah in the past, it has not been something NATO's International Security Assistance Force (ISAF) ever has tried to hold. The British, Canadian and Danish troops holding the line in the country's restive south had their hands full enough. Despite Marjah's importance to the Taliban, ISAF forces were too few to engage the Taliban everywhere (and they remain as such). But American priorities started changing about two years ago. The surge of forces into Iraq changed the position of many a player in the country. Those changes allowed a reshaping of the Iraq conflict that laid the groundwork for the current "stability" and American withdrawal. At the same time, the Taliban began to resurge in a big way. Since then the Bush and then Obama administrations inched toward applying a similar strategy to Afghanistan, a strategy that focuses less on battlefield success and more on altering the parameters of the country itself.

As the Obama administration's strategy has begun to take shape, it has started thinking about endgames. A decades-long occupation and pacification of Afghanistan is simply not in the cards. A withdrawal is, but only a withdrawal where the security free-for-all that allowed al Qaeda to thrive will not return. And this is where Marjah comes in.

Denying the Taliban control of poppy farming communities like Marjah and the key population centers along the Helmand River Valley -- and areas like them around the country -- is the first goal of the American strategy. The fewer key population centers the Taliban can count on, the more dispersed -- and militarily inefficient -- their forces will be. This will hardly destroy the Taliban, but destruction isn't the goal. The Taliban are not simply a militant Islamist force. At times they are a flag of convenience for businessmen or thugs; they can even be, simply, the least-bad alternative for villagers desperate for basic security and civil services. In many parts of Afghanistan, the Taliban are not only pervasive but also the sole option for governance and civil authority.

So destruction of what is in essence part of the local cultural and political fabric is not an American goal. Instead, the goal is to prevent the Taliban from mounting large-scale operations that could overwhelm any particular location. Remember, the Americans do not wish to pacify Afghanistan; the Americans wish to leave Afghanistan in a form that will not cause the United States severe problems down the road. In effect, achieving the first goal simply aims to shape the ground for a shot at achieving the second.

That second goal is to establish a domestic authority that can stand up to the Taliban in the long run. Most of the surge of forces into Afghanistan is not designed to battle the Taliban now but to secure the population and train the Afghan security forces to battle the Taliban later. To do this, the Taliban must be weak enough in a formal military sense to be unable to launch massive or coordinated attacks. Capturing key population centers along the Helmand River Valley is the first step in a strategy designed to create the breathing room necessary to create a replacement force, preferably a replacement force that provides Afghans with a viable alternative to the Taliban.

That is no small task. In recent years, in places where the official government has been corrupt, inept or defunct, the Taliban have in many cases stepped in to provide basic governance and civil authority. And this is why even the Americans are publicly flirting with holding talks with certain factions of the Taliban in hopes that at least some of the fighters can be dissuaded from battling the Americans (assisting with the first goal) and perhaps even joining the nascent Afghan government (assisting with the second).

The bottom line is that this battle does not mark the turning of the tide of the war. Instead, it is part of the application of a new strategy that accurately takes into account Afghanistan's geography and all the weaknesses and challenges that geography poses. Marjah marks the first time the United States has applied a plan not to hold the line, but actually to reshape the country. We are not saying that the strategy will bear fruit. Afghanistan is a corrupt mess populated by citizens who are far more comfortable thinking and acting locally and tribally than nationally. In such a place indigenous guerrillas will always hold the advantage. No one has ever attempted this sort of national restructuring in Afghanistan, and the Americans are attempting to do so in a short period on a shoestring budget.

At the time of this writing, this first step appears to be going well for American-NATO-Afghan forces. Casualties have been light and most of Marjah already has been secured. But do not read this as a massive battlefield success. The assault required weeks of obvious preparation, and very few Taliban fighters chose to remain and contest the territory against the more numerous and better armed attackers. The American challenge lies not so much in assaulting or capturing Marjah but in continuing to deny it to the Taliban. If the Americans cannot actually hold places like Marjah, then they are simply engaging in an exhausting and reactive strategy of chasing a dispersed and mobile target.

A "government-in-a-box" of civilian administrators is already poised to move into Marjah to step into the vacuum left by the Taliban. We obviously have major doubts about how effective this box government can be at building up civil authority in a town that has been governed by the Taliban for most of the last decade. Yet what happens in Marjah and places like it in the coming months will be the foundation upon which the success or failure of this effort will be built. But assessing that process is simply impossible, because the only measure that matters cannot be judged until the Afghans are left to themselves.

This report may be forwarded or republished on your website with attribution to www.stratfor.com.

Copyright 2010 Stratfor.

517

2010-02-02T07:21:00.005-06:00

In Bernard Cornwell's historical novel "Sharpe's Eagle," the author recounts a battle in 1809 in which the not yet Duke of Wellington Wellesley's army is arrayed in Talavera, Spain against Napoleon's forces. One thread of the story describes a "bought" Lt. Colonel looking over the battalion he raised with his own money and through his own political connections in England. A political rival of Wellesley back home, Sir Henry Simmerson is anxious for the opportunity to prove Wellesley reckless and himself worthy of becoming a "new kind" of General, more sensible, more intellectual, more - scientific.

In this particular battle, and from his vantage point above, Lt. Colonel Simmerson surveys his troops and the French that oppose them. His enemy are arraying fresh battalions agains the British line after the British successfully repulse an initial French attack. Wise and skilled commander that he sees himself to be, Simmerson perceives Wellesley's recklessness anew and in it, his own road to Glory. The French will destroy Wellesley's army and his own troops. But he, Lt. Colonel Sir Henry Simmerson, will be hailed in the British Parliament as the one commander with the foresight to withdraw from the coming onslaught, preserving his troops - if he withdraws them now. He proceeds to order the retreat of his battalion. In turn he leaves a gaping hole in the British Line and endangers the balance of Wellesley's forces. Nestled in the flower of Simmerson's withdrawal are the seeds of a self-fulfilling prophesy.

In the circumstance of our lives, how often do we face risk, and rather than engaging in the battle that threatens our peace, succumb to the temptation to withdraw? How often do we try to preserve the very thing that is needed right now? How often do we conjure up excuses that masquerade as wisdom? Like the foolish servant given a single gold bar in the parable of the talents, how often have we said "See Master, here is your talent! Knowing you to be a hard man I buried it!" And how often, like that foolish servant, are we astonished that our wisdom is not only rebuked, but condemned?

As I turn 53 today, I am acutely aware of the times that, like Simmerson and the foolish servant, I have disengaged from a challenge in order to preserve for another day something that was intended to be used in that very moment? I am reminded of the words I've used to explain away my action. Some call these excuses, others cowardice. But I am also aware that I'm here for a purpose, that I am to steward the resources of my life, my job, my savings, my family, my friends, my talents, and my gifts. These are not set pieces of a pretend life, or trophies for some retired afterlife. They are gifts from my Creator to be relied upon now, and for such a moment as this.

In the parable of the talents, the wicked servant's now un-buried talent is given to the servant who had previously proven his worth and earned his Master's trust. In Cornwell's story, Simmerson is relieved of duty as he is retreating from the field as a consequence of his cowardice. His battalion is re-deployed by a leader who was willing to act with the resources at hand, resources intended (and needed) for precisely that moment.

We may not control all outcomes, but we do control our actions. Do we engage, or do we withdraw?

Oh, and 517? That's the time I woke up this morning. And today's blog is one of today's challenges I had to engage. You can judge its outcome.

A Blow For Democracy Against McCain-Feingold: Gag Rules Struck Down

2010-01-21T13:21:00.005-06:00

The restrictions thus function as the equivalent of a prior restraint, giving the FEC power analogous to the type of government practices that the First Amendment was drawn to prohibit.

So wrote Justice Kennedy in today's decision striking down the government's ability to stifle speech during an election, ruling against provisions of the 2002 Bipartisan Campaign Reform Act (BCRA).

This decision is kind of a catharsis, having just watched MI-5's 5th Season opener (thank you NetFlix) - where MI-5 Chief Harry Price and his protectors of the realm foil a coup comprised of the press, big oil, and their foreign intelligence counterparts, MI-6, that would have spawned a police state in the UK.

Although the First Amendment provides that “Congress shall make no law . . . abridging the freedom of speech,” §441b’s prohibition on corporate independent expenditures is an outright ban on speech, backed by criminal sanctions.

A "ban on speech, backed by criminal sanctions." It should be astounding that such a fundamental principal, voiced so simply in the First Amendment, could be essentially ignored by McCain-Feingold, enacted in legislation, and take over 8 years to be remedied. Justice Kennedy went on during oral arguments last September to explore if books could be banned based on this legislation - the chilling (and decisive) determination being yes. A book that was transmitted via satellite to a Kindle for example, would fall under the FEC's law and thereby could be banned if published (or distributed) during the 30 day McCain-Feingold window.

Because speech is an essential mechanism of democracy—it is the means to hold officials accountable to the people—political speech must prevail against laws that would suppress it by design or inadvertence.

Amen.

Premised on mistrust of governmental power, the First Amendment stands against attempts to disfavor certain subjects or viewpoints or to distinguish among different speakers, which may be a means to control content.
A reminder that the Constitution affirms mistrust of governmental power, and stands to defend its citizens against its misuse.
The Government may also commit a constitutional wrong when by law it identifies certain preferred speakers. There is no basis for the proposition that, in the political speech context, the Government may impose restrictions on certain disfavored speakers. Both history and logic lead to this conclusion.

In addition to the author's, one should question the supporters of McCain Fiengold (those that still hold office).

Campaign finance accountability is easy - full disclosure of every dime given to every candidate - with criminal penalties for withholding the same. Follow the money if you must - but you may not touch the

speech. Today's decision upholds the disclosure/disclaimer provisions of the bill.

Today's decision, against the channels that would suggest otherwise, should affirm our faith in our institutions. It reminds me of Churchill's oft' repeated saying, "Democracy is the worst form of government, except for all the others."

The full text of today's supreme court decision can be found in PDF here.

Cheers!

Thanx to the Cato Institute for the alert and coverage of last September's oral arguments.

To those who fear that Universal Healthcare is Dead

2010-01-20T14:59:00.004-06:00

The following is based on a thread initiated by my friend Birgit, and helped along by my friend Steve. On the issue of Federally funded healthcare I believe we differ. On the issue of quality healthcare delivered effectively and efficiently to the largest population possible - I think we are in complete agreement.

Rather than punt to the Federal government the local issue of health care delivery, why don't we let the citizens of California (Pop 37M), Texas (Pop 24M), NY (Pop 19.5M) , Florida (Pop 18M), Illinois (Pop 12.9) Pennsylvania (Pop 12.4M), etcetera. chose (or not) their own program as has Massachusetts (Pop 6.5M)? For states w/ populations below say 5m, create intra-state medical regions that will operate as do the larger states?

I contend that to compare the United States (303M) to Germany (83M), Switzerland (7.6M), the Netherlands (17M), Australia (21.2M), or Canada (33M) is to miss the importance of scale and jurisdiction. While Uwe Rhinehardt's perspective with respect to community risk and risk equalization describes a standard actuarial model for healthcare funding, it fails to acknowledge the differences in scale between the examples and the United States, and ignores the unique regional implications of the nature of Unites States and the separation of powers between the Federal and State Governments.

Whether you like the plan or not, I think Massachusetts has proven a plan can be enacted and administered at the State level. That said - one should evaluate its current performance and ask if this is what is wanted for the other states, let alone the nation.

Do we want basic healthcare for all, or a federally mandated and controlled program? In my opinion, one does not imply the other.

For an example of privately managed and quality healthcare, *Kaiser Permanente was born in 1930. Dr. Sydney Garfield seized an opportunity that simplified his back office (billing) and provided full healthcare to thousands of workers on the LA Aqueduct. He wasn't trying to get rich - just deliver high quality healthcare in the most efficient (business and medical) means possible. *Full Disclosure - I was an employee of Kaiser Permanente from 1991-1999

My friends who advocate a universal plan do so from the best of motives. They ask why should we who have "good" jobs be able to afford good health care that preserves our lifestyle - when those who "are not lucky enough" suffer loss of jobs, savings, and homes when struck with debilitating illness or injury? Another post will be required to do justice to this question.

I don't believe quality healthcare can be born out of pure profit motive (capitalist though I be) nor from government coercion. I believe it can only be forged by like minded individuals, organizations, and health care providers, banding together to articulate a shared objective and selling it to the populace that are to be its beneficiaries.

When the healthcare reform debate becomes more about the definition of basic quality care, its effective delivery, and efficient financial structures, we will start to perceive what reform means. As long as the discussion centers on secondary issues (or agendas) - or is politicized (meaning its character is shaped by current political powers) we will be a long way from any healthcare reform - universal or otherwise.

Respectfully yours,

Smoke Signals - Musings of the Cloud

2009-11-09T10:00:00.005-06:00

I'm musing my way through the daily growing smoke of Cloud Computing. Its not that I think Cloud Computing is smoke. Its that much of what traditional vendors are saying about Cloud is, well, less than clear.

Businesses have long sought to get to a "utility" view of IT - Cloud seems to be the latest version of that. Lease, don't buy the means of production. Only pay more as you need more to make more money. Cloud enables the encapsulation behind a web accessible interface delivering whatever business relevant capabilities you may need. Think SalesForce.Com for CRM, e2open for supply chain, IBM ISS Managed Security Services, etc.

If this view is correct, then Cloud is not about the elimination of IT - it is about paying someone else to worry about it, about using their IT, and not our own. But its more than traditional outsourcing. It is not having to think about anything (or very little) beyond my business. Cloud vs. traditional IT is Mac vs. PC - use, enjoy, even love the apps - don't worry about how the machine makes them work.

If you're a consumer - or a business that needs particular information services, Cloud is very easy to understand. If you're a provider of Cloud services, or of the software and hardware and virtualization and network technologies of which Cloud is comprised - You may have trouble getting your head around it.

Cloud implies economies of scale my business gets to share in and better yet, not think much about (let alone manage). Cloud implies shared infrastructure multiple enterprises, not just across departments and corporate divisions. It is the natural evolution of shared services beyond provincial and ephemeral corporate borders - it is the ultimate separation business and IT. At least in theory. Fortunately the theory is playing out well in some sectors - if less so in others.

Why Cloud? IT support and maintenance budgets that are growing faster than the businesses they support. IT lock - businesses are unable to move to competitive offerings (observe the sole source economics of internal IT departments). With traditional IT, business flows like cold molasses when trying to morph their information services to address or create new business opportunities.

Cloud is not a panacea - it is a signal telling us its time to deliver products that support a utility model. Now, not next year. We've found the need, lets fill it - not redefine or hope to ignore it because our products "don't work that way."

I'm also thinking about how we as hardware, software, and solution vendors can support the opportunities the Cloud offers - but that's a blog for another day.

Mandatory Encryption - a silent tax.

2008-10-17T15:52:00.004-05:00

Nevada this month enacted a law mandating

all businesses there to encrypt personally-identifiable customer data, including names and credit-card numbers, that are transmitted electronically.

Cool.

So - where are the keys?

PKIX notwithstanding - single sided authentication works in the web (HTTP) world and presumably would fulfill the requirement of encryption during transmission. We have it today - no cost involved.

But email encryption implies S/MIME or proprietary schemes, and a set of technology available to users and businesses alike. It means that those communicating with businesses are not only "registered" with that business, but have the appropriate software and security artifacts (keys, certs, what have you). Average per user cost? $50 a computer according to estimates.

The Wall Street Journal goes on to report

The new state data-security laws are stricter than past regulations, which only required businesses to notify people whose personal information they lost. The new laws establish a standard that can be used by plaintiffs in civil suits to argue that a business that lost data was negligent, said Miriam Wugmeister, an attorney with Morrison & Foerster LLP.

So - how well would have the new legislation protected the 47 million customers of the TJ Maxx conglomerate?

A better solution might be to require companies that transact business with retail customers to delete credit card information once a transaction is completed and approved by the credit card company. Leave essential CC authentication data in the hands of the authenticator (user).

This doesn't solve the other use cases, medical records or portions thereof, or business to business communications. But the later is of significantly reduced scope to the consumer case.

Healthcare organizations will be driven to more web based interactions with their patients, forgoing the quick Dr's note which the patient requested. Rather they will simply send a link saying "Sign in to discover what we can't tell you here."

Mandating "encryption" is like mandating the color of your car - it may look nice - but its probably not exactly what you wanted, especially when you have to pay for it.

5 Years of 401(k) Contributions - "Poof!"

2008-10-16T14:24:00.005-05:00

In assessing the personal damage from the current "World has Changed" events - I realized that the past 2 months have erased (yes - erased) 5 years of contribution to our 401(k). Granted - that's before taxes - but still ... its a shock. And a loss.

That said (and felt ), I bless my God - who is not made of wood or stone, or even precious metals or jewels, or indeed any made thing, rather He is, and He who was, and is, and is to come, and who has provided for me and my family faithfully - beyond anything I can ask or think. And I expect no less of Him in this time.

"Be anxious for nothing, but in everything by prayer and thanksgiving, let your requests be made known to God. And the peace of God, which surpasses all understanding, will keep your hearts and minds in Christ Jesus." Paul's letter to the Phillippian Church, Chapter 4, verses 6 & 7

So we are thankful that in Him we live, and breathe, and have our being. And our meals, and our house, car, dogs, school, music, church, friends, and work. And the living God Himself. We are excited to see the awesome things He does in our lives, our home, and in our community, in the midst these times that will try men's souls. And challenge ourselves.

Financial Crisis and Terrorism

2008-10-11T15:12:00.009-05:00

This past week, on October 8th to be precise, British Prime minister Gordon Brown used the British version of the Patriot Act, the "2001 Anti-Terrorism and Anti-Crime Act" to freeze Icelandic assets in British banks. This legislation, enacted in the wake of the 9/11 attacks in the United States, was proposed to protect the British Public from terrorism and crime by granting to the state special powers. These powers include the seizure of assets - supposedly to mitigate a terrorist's or criminal's means of practicing their trades.

The backdrop of Gordon Brown's action is the historic financial collapse Iceland has now suffered. In its wake, the Icelandic state has made financial guarantees which simple arithmetic suggests are far from the realm of possibility. But this is only backdrop. The key feature of the British action against Icelandic assets is the use of legislation that in no way was intended to be so used.

Granting new powers to the state in times of fear and crisis almost always have unintended and negative side effects. Those who have contested both the British anti-terrorism and U.S. "Patriot" acts and the extended powers they grant have been accused of un-patriotic or even disloyal sentiments. But Gordon Brown's unprecedented actions underscore the threat where powers are granted under the guise of "safety and security," and consequently used for the convenience of the state. While the British government will no doubt defend its actions with explanations of the criticality of the threat to British assets - this will sidestep the fundamental issue. The use of anti-terrorist law for purposes decidedly unrelated to terrorism is a different kind of threat - the latter perhaps equal to the former.

If the lines between controlling terrorists and friendly economic partners can be eradicated by no less than the Prime Minister of one of the leading democratic western powers in a time of crisis - what can we expect from governments with histories less democratic in nature?

Key to the principle of limited government is the recognition that government can't do/fix/be everything that is wrong in our lives. And yet, increasingly it appears, we look to our government as the solution, even if of last resort - despite the erosion of liberty that inevitably results. Whether the "Patriot Act," or new legislation intended stem the flood of financial failure - we might ask why we think rapid and sweeping legislative action in the absence of broad, open, and deliberate debate will achieve what prior legislation has failed to do? I'd like to think we'd resist the temptation to accept at face value "solutions" proffered with the attendant risk that it may cost us more than they are intended to save.

We are faced with an unprecedented financial crisis, and one of global proportions. Its repercussions will take many months, if not years, to be realized. The impact on our day-to-day lives will be significant. We will witness the emergence of geo-political alignments that were previously unthinkable. And yet, live our lives we will, and by God's grace, well.

Of all tyrannies a tyranny exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end for they do so with the approval of their own conscience. -C.S. Lewis

Obama's Foreign Policy Stance (C) 2008 Strategic Forecasting. Reprinted by permission.

2008-09-26T10:45:00.002-05:00

Stratfor --------------------------- OBAMA'S FOREIGN POLICY STANCE (OPEN ACCESS) Editor's Note: This is part two of a four-part report by Stratfor founder and Chief Intelligence Officer George Friedman on the U.S. presidential debate on foreign policy, to be held Sept. 26. Stratfor is a private, nonpartisan intelligence service with no preference for one candidate over the other. We are interested in analyzing and forecasting the geopolitical impact of the election and, with this series, seek to answer two questions: What is the geopolitical landscape that will confront the next president, and what foreign policy proposals would a President McCain or a President Obama bring to bear? For media interviews, e-mail pr@stratfor.com or call 512-744-4309. By George Friedman Barack Obama is the Democratic candidate for president. His advisers in foreign policy are generally Democrats. Together they carry with them an institutional memory of the Democratic Party's approach to foreign policy, and are an expression of the complexity and divisions of that approach. Like the their Republican counterparts, in many ways they are going to be severely constrained as to what they can do both by the nature of the global landscape and American resources. But to some extent, they will also be constrained and defined by the tradition they come from. Understanding that tradition and Obama's place is useful in understanding what an Obama presidency would look like in foreign affairs. The most striking thing about the Democratic tradition is that it presided over the beginnings of the three great conflicts that defined the 20th century: Woodrow Wilson and World War I, Franklin Delano Roosevelt and World War II, and Harry S. Truman and the Cold War. (At this level of analysis, we will treat the episodes of the Cold War such as Korea, Vietnam or Grenada as simply subsets of one conflict.) This is most emphatically not to say that had Republicans won the presidency in 1916, 1940 or 1948, U.S. involvement in those wars could have been avoided. Patterns in Democratic Foreign Policy But it does give us a framework for considering persistent patterns of Democratic foreign policy. When we look at the conflicts, four things become apparent. First, in all three conflicts, Democrats postponed the initiation of direct combat as long as possible. In only one, World War I, did Wilson decide to join the war without prior direct attack. Roosevelt maneuvered near war but did not enter the war until after Pearl Harbor. Truman also maneuvered near war but did not get into direct combat until after the North Korean invasion of South Korea. Indeed, even Wilson chose to go to war to protect free passage on the Atlantic. More important, he sought to prevent Germany from defeating the Russians and the Anglo-French alliance and to stop the subsequent German domination of Europe, which appeared possible. In other words, the Democratic approach to war was reactive. All three presidents reacted to events on the surface, while trying to shape them underneath the surface. Second, all three wars were built around coalitions. The foundation of the three wars was that other nations were at risk and that the United States used a predisposition to resist (Germany in the first two wars, the Soviet Union in the last) as a framework for involvement. The United States under Democrats did not involve itself in war unilaterally. At the same time, the United States under Democrats made certain that the major burdens were shared by allies. Millions died in World War I, but the United States suffered 100,000 dead. In World War II, the United States suffered 500,000 dead in a war where perhaps 50 million soldiers and civilians died. In the Cold War, U.S. losses in direct combat were less than 100,000 while the losses to Chinese, Vietnamese, Koreans and others towered over that toll. The allies had a complex appreciation of the United States. On the one hand, they were grateful for the U.S. presence. On the other hand, they resented the disproportionate amoun ts of blood and effort shed. Some of the roots of anti-Americanism are to be found in this strategy. Third, each of these wars ended with a Democratic president attempting to create a system of international institutions designed to limit the recurrence of war without directly transferring sovereignty to those institutions. Wilson championed the League of Nations. Roosevelt the United Nations. Bill Clinton, who presided over most of the post-Cold War world, constantly sought international institutions to validate U.S. actions. Thus, when the United Nations refused to sanction the Kosovo War, he designated NATO as an alternative international organization with the right to approve conflict. Indeed, Clinton championed a range of multilateral organizations during the 1990s, including everything from the International Monetary Fund, the World Bank, the General Agreement on Tariffs and Trade, and later the World Trade Organization. All these presidents were deeply committed to multinational organizations to define permissible and impermissible actions. And fourth, there is a focus on Europe in the Democratic view of the world. Roosevelt regarded Germany as the primary threat instead of the Pacific theater in World War II. And in spite of two land wars in Asia during the Cold War, the centerpiece of strategy remained NATO and Europe. The specific details have evolved over the last century, but the Democratic Party -- and particularly the Democratic foreign policy establishment -- historically has viewed Europe as a permanent interest and partner for the United States. Thus, the main thrust of the Democratic tradition is deeply steeped in fighting wars, but approaches this task with four things in mind: Wars should not begin until the last possible moment and ideally should be initiated by the enemy. Wars must be fought in a coalition with much of the burden borne by partners. The outcome of wars should be an institutional legal framework to manage the peace, with the United States being the most influential force within this multilateral framework. Any such framework must be built on a trans-Atlantic relationship. Democratic Party Fractures That is one strand of Democratic foreign policy. A second strand emerged in the context of the Vietnam War. That war began under the Kennedy administration and was intensified by Lyndon Baines Johnson, particularly after 1964. The war did not go as expected. As the war progressed, the Democratic Party began to fragment. There were three factions involved in this. The first faction consisted of foreign policy professionals and politicians who were involved in the early stages of war planning but turned against the war after 1967 when it clearly diverged from plans. The leading political figure of this faction was Robert F. Kennedy, who initially supported the war but eventually turned against it. The second faction was more definitive. It consisted of people on the left wing of the Democratic Party -- and many who went far to the left of the Democrats. This latter group not only turned against the war, it developed a theory of the U.S. role in the war that as a mass movement was unprecedented in the century. The view (it can only be sketched here) maintained that the United States was an inherently imperialist power. Rather than the benign image that Wilson, Roosevelt and Truman had of their actions, this faction reinterpreted American history going back into the 19th century as violent, racist and imperialist (in the most extreme faction's view). Just as the United States annihilated the Native Americans, the United States was now annihilating the Vietnamese. A third, more nuanced, faction argued that rather than an attempt to contain Soviet aggression, the Cold War was actually initiated by the United States out of irrational fear of the Soviets and out of imperialist ambitions. They saw the bombing of Hiroshima as a bid to intimidate the Soviet Union rather than an effort to end World War II, and the creation of NATO as having triggered the Cold War. These three factions thus broke down into Democratic politicians such as RFK and George McGovern (who won the presidential nomination in 1972), radicals in the street who were not really Democrats, and revisionist scholars who for the most part were on the party's left wing. Ultimately, the Democratic Party split into two camps. Hubert Humphrey led the first along with Henry Jackson, who rejected the left's interpretation of the U.S. role in Vietnam and claimed to speak for the Wilson-FDR-Truman strand in Democratic politics. McGovern led the second. His camp largely comprised the party's left wing, which did not necessarily go as far as the most extreme critics of that tradition but was extremely suspicious of anti-communist ideology, the military and intelligence communities, and increased defense spending. The two camps conducted extended political warfare throughout the 1970s. The presidency of Jimmy Carter symbolized the tensions. He came to power wanting to move beyond Vietnam, slashing and changing the CIA, controlling defense spending and warning the country of "an excessive fear of Communism." But following the fall of the Shah of Iran and the Soviet invasion of Afghanistan, he allowed Zbigniew Brzezinski, his national security adviser and now an adviser to Obama, to launch a guerrilla war against the Soviets using Islamist insurgents from across the Muslim world in Afghanistan. Carter moved from concern with anti-Communism to coalition warfare against the Soviets by working with Saudi Arabia, Pakistan and Afghan resistance fighters. Carter was dealing with the realities of U.S. geopolitics, but the tensions within the Democratic tradition shaped his responses. During the Clinton administration, these internal tensions subsided to a great degree. In large part this was because there was no major war, and the military action that did occur -- as in Haiti and Kosovo -- was framed as humanitarian actions rather than as the pursuit of national power. That soothed the anti-war Democrats to a great deal, since their perspective was less pacifistic than suspicious of using war to enhance national power. The Democrats Since 9/11 Since the Democrats have not held the presidency during the last eight years, judging how they might have responded to events is speculative. Statements made while in opposition are not necessarily predictive of what an administration might do. Nevertheless, Obama's foreign policy outlook was shaped by the last eight years of Democrats struggling with the U.S.-jihadist war. The Democrats responded to events of the last eight years as they traditionally do when the United States is attacked directly: The party's anti-war faction contracted and the old Democratic tradition reasserted itself. This was particularly true of the decision to go to war in Afghanistan. Obviously, the war was a response to an attack and, given the mood of the country after 9/11, was an unassailable decision. But it had another set of characteristics that made it attractive to the Democrats. The military action in Afghanistan was taking place in the context of broad international support and within a coalition forming at all levels, from on the ground in Afghanistan to NATO and the United Nations. Second, U.S. motives did not appear to involve national self-interest, like increasing power or getting oil. It was not a war for national advantage, but a war of national self-defense. The Democrats were much less comfortable with the Iraq war than they were with Afghanistan. The old splits reappeared, with many Democrats voting for the invasion and others against. There were complex and mixed reasons why each Democrat voted the way they did -- some strategic, some purely political, some moral. Under the pressure of voting on the war, the historically fragile Democratic consensus broke apart, not so much in conflict as in disarray. One of the most important reasons for this was the sense of isolation from major European powers -- particularly the French and Germans, whom the Democrats regarded as fundamental elements of any coalition. Without those countries, the Democrats regarded the United States as diplomatically isolated. The intraparty conflict came later. As the war went badly, the anti-war movement in the party re-energized itself. They were joined later by many who had formerly voted for the war but were upset by the human and material cost and by the apparent isolation of the United States and so on. Both factions of the Democratic Party had reasons to oppose the Iraq war even while they supported the Afghan war. Understanding Obama's Foreign Policy It is in light of this distinction that we can begin to understand Obama's foreign policy. On Aug. 1, Obama said the following: "It is time to turn the page. When I am President, we will wage the war that has to be won, with a comprehensive strategy with five elements: getting out of Iraq and on to the right battlefield in Afghanistan and Pakistan; developing the capabilities and partnerships we need to take out the terrorists and the world's most deadly weapons; engaging the world to dry up support for terror and extremism; restoring our values; and securing a more resilient homeland." Obama's view of the Iraq war is that it should not have been fought in the first place, and that the current success in the war does not justify it or its cost. In this part, he speaks to the anti-war tradition in the party. He adds that Afghanistan and Pakistan are the correct battlefields, since this is where the attack emanated from. It should be noted that on several occasions Obama has pointed to Pakistan as part of the Afghan problem, and has indicated a willingness to intervene there if needed while demanding Pakistani cooperation. Moreover, Obama emphasizes the need for partnerships -- for example, coalition partners -- rather than unilateral action in Afghanistan and globally. Responding to attack rather than pre-emptive attack, coalition warfare and multinational postwar solutions are central to Obama's policy in the Islamic world. He therefore straddles the divide within the Democratic Party. He opposes the war in Iraq as pre-emptive, unilateral and outside the bounds of international organizations while endorsing the Afghan war and promising to expand it. Obama's problem would be applying these principles to the emerging landscape. He shaped his foreign policy preferences when the essential choices remained within the Islamic world -- between dealing with Iraq and Afghanistan simultaneously versus focusing on Afghanistan primarily. After the Russian invasion of Georgia, Obama would face a more complex set of choices between the Islamic world and dealing with the Russian challenge. Obama's position on Georgia tracked with traditional Democratic approaches: "Georgia's economic recovery is an urgent strategic priority that demands the focused attention of the United States and our allies. That is why Senator Biden and I have called for $1 billion in reconstruction assistance to help the people of Georgia in this time of great trial. I also welcome NATO's decision to establish a NATO-Georgia Commission and applaud the new French and German initiatives to continue work on these issues within the EU. The Bush administration should call for a U.S.-EU-Georgia summit in September that focuses on strategies for preserving Georgia's territorial integrity and advancing its economic recovery." Obama avoided militaristic rhetoric and focused on multinational approaches to dealing with the problem, particularly via NATO and the European Union. In this and in Afghanistan, he has returned to a Democratic fundamental: the centrality of the U.S.-European relationship. In this sense, it is not accidental that he took a preconvention trip to Europe. It was both natural and a signal to the Democratic foreign policy establishment that he understands the pivotal position of Europe. This view on multilateralism and NATO is summed up in a critical statement by Obama in a position paper: "Today it's become fashionable to disparage the United Nations, the World Bank, and other international organizations. In fact, reform of these bodies is urgently needed if they are to keep pace with the fast-moving threats we face. Such real reform will not come, however, by dismissing the value of these institutions, or by bullying other countries to ratify changes we have drafted in isolation. Real reform will come because we convince others that they too have a stake in change -- that such reforms will make their world, and not just ours, more secure. "Our alliances also require constant management and revision if they are to remain effective and relevant. For example, over the last 15 years, NATO has made tremendous strides in transforming from a Cold War security structure to a dynamic partnership for peace. "Today, NATO's challenge in Afghanistan has become a test case, in the words of Dick Lugar, of whether the alliance can 'overcome the growing discrepancy between NATO's expanding missions and its lagging capabilities.'" Obama's European Problem The last paragraph represents the key challenge to Obama's foreign policy, and where his first challenge would come from. Obama wants a coalition with Europe and wants Europe to strengthen itself. But Europe is deeply divided, and averse to increasing its defense spending or substantially increasing its military participation in coalition warfare. Obama's multilateralism and Europeanism will quickly encounter the realities of Europe. This would immediately affect his jihadist policy. At this point, Obama's plan for a 16-month drawdown from Iraq is quite moderate, and the idea of focusing on Afghanistan and Pakistan is a continuation of Bush administration policy. But his challenge would be to increase NATO involvement. There is neither the will nor the capability to substantially increase Europe's NATO participation in Afghanistan. This problem would be even more difficult in dealing with Russia. Europe has no objection in principle to the Afghan war; it merely lacks the resources to substantially increase its presence there. But in the case of Russia, there is no European consensus. The Germans are dependent on the Russians for energy and do not want to risk that relationship; the French are more vocal but lack military capability, though they have made efforts to increase their commitment to Afghanistan. Obama says he wants to rely on multilateral agencies to address the Russian situation. That is possible diplomatically, but if the Russians press the issue further, as we expect, a stronger response will be needed. NATO will be unlikely to provide that response. Obama would therefore face the problem of shifting the focus to Afghanistan and the added problem of balancing between an Islamic focus and a Russian focus. This will be a general problem of U.S. diplomacy. But Obama as a Democrat would have a more complex problem. Averse to unilateral actions and focused on Europe, Obama would face his first crisis in dealing with the limited support Europe can provide. That will pose serious problems in both Afghanistan and Russia, which Obama would have to deal with. There is a hint in his thoughts on this when he says, "And as we strengthen NATO, we should also seek to build new alliances and relationships in other regions important to our interests in the 21st century." The test would be whether these new coalitions will differ from, and be more effective than, the coalition of the willing. Obama would face similar issues in dealing with the Iranians. His approach is to create a coalition to confront the Iranians and force them to abandon their nuclear program. He has been clear that he opposes that program, although less clear on other aspects of Iranian foreign policy. But again, his solution is to use a coalition to control Iran. That coalition disintegrated to a large extent after Russia and China both indicated that they had no interest in sanctions. But the coalition Obama plans to rely on will have to be dramatically revived by unknown means, or an alternative coalition must be created, or the United States will have to deal with Afghanistan and Pakistan unilaterally. This reality places a tremendous strain on the core principles of Democratic foreign policy. To reconcile the tensions, he would have to rapidly come to an understanding with the Europeans in NATO on expanding their military forces. Since reaching out to the Europeans would be among his first steps, his first test would come early. The Europeans would probably balk, and, if not, they would demand that the United States expand its defense spending as well. Obama has shown no inclination toward doing this. In October 2007, he said the following on defense: "I will cut tens of billions of dollars in wasteful spending. I will cut investments in unproven missile defense systems. I will not weaponize space. I will slow our development of future combat systems, and I will institute an independent defense priorities board to ensure that the quadrennial defense review is not used to justify unnecessary spending." Russia, Afghanistan and Defense Spending In this, Obama is reaching toward the anti-war faction in his party, which regards military expenditures with distrust. He focused on advanced war-fighting systems, but did not propose cutting spending on counterinsurgency. But the dilemma is that in dealing with both insurgency and the Russians, Obama would come under pressure to do what he doesn't want to do -- namely, increase U.S. defense spending on advanced systems. Obama has been portrayed as radical. That is far from the case. He is well within a century-long tradition of the Democratic Party, with an element of loyalty to the anti-war faction. But that element is an undertone to his policy, not its core. The core of his policy would be coalition building and a focus on European allies, as well as the use of multilateral institutions and the avoidance of pre-emptive war. There is nothing radical or even new in these principles. His discomfort with military spending is the only thing that might link him to the party's left wing. The problem he would face is the shifting international landscape, which would make it difficult to implement some of his policies. First, the tremendous diversity of international challenges would make holding the defense budget in check difficult. Second, and more important, is the difficulty of coalition building and multilateral action with the Europeans. Obama thus lacks both the force and the coalition to carry out his missions. He therefore would have no choice but to deal with the Russians while confronting the Afghan/Pakistani question even if he withdrew more quickly than he says he would from Iraq. The make-or-break moment for Obama will come early, when he confronts the Europeans. If he can persuade them to take concerted action, including increased defense spending, then much of his foreign policy rapidly falls into place, even if it is at the price of increasing U.S. defense spending. If the Europeans cannot come together (or be brought together) decisively, however, then he will have to improvise. Obama would be the first Democrat in this century to take office inheriting a major war. Inheriting an ongoing war is perhaps the most difficult thing for a president to deal with. Its realities are already fixed and the penalties for defeat or compromise already defined. The war in Afghanistan has already been defined by U.S. President George W. Bush's approach. Rewriting it will be enormously difficult, particularly when rewriting it depends on ending unilateralism and moving toward full coalition warfare when coalition partners are wary. Obama's problems are compounded by the fact that he does not only have to deal with an inherited war, but also a resurgent Russia. And he wants to depend on the same coalition for both. That will be enormously challenging for him, testing his diplomatic skills as well as geopolitical realities. As with all presidents, what he plans to do and what he would do are two different things. But it seems to us that his presidency would be defined by whether he can change the course of U.S.-European relations not by accepting European terms but by persuading them to accommodate U.S. interests. An Obama presidency would not turn on this. There is no evidence that he lacks the ability to shift with reality -- that he lacks Machiavellian virtue. But it still will be the first and critical test, one handed to him by the complex tensions of Democratic traditions and by a war he did not start. Tell Stratfor what you think This report may be forwarded or republished on your Web site with attribution to www.stratfor.com For media interviews, contact pr@stratfor.com or call 512-744-4309 If you're not already receiving Stratfor's free intelligence, CLICK HERE to have these special reports e-mailed to you. Copyright 2008 Stratfor.

McCain's Foreign Policy Stance. (C) 2008 Strategic Forecasting. Reprinted by permission.

2008-09-26T10:44:00.005-05:00

Stratfor --------------------------- MCCAIN'S FOREIGN POLICY STANCE (OPEN ACCESS) Editor's Note: This is part three of a four-part report by Stratfor founder and Chief Intelligence Officer George Friedman on the U.S. presidential debate on foreign policy, to be held Sept. 26. Stratfor is a private, nonpartisan intelligence service with no preference for one candidate over the other. We are interested in analyzing and forecasting the geopolitical impact of the election and, with this series, seek to answer two questions: What is the geopolitical landscape that will confront the next president, and what foreign policy proposals would a President McCain or a President Obama bring to bear? For media interviews, e-mail pr@stratfor.com or call 512-744-4309. By George Friedman John McCain is the Republican candidate for president. This means he is embedded in the Republican tradition. That tradition has two roots, which are somewhat at odds with each other: One root is found in Theodore Roosevelt's variety of internationalism, and the other in Henry Cabot Lodge's opposition to the League of Nations. Those roots still exist in the Republican Party. But accommodations to the reality the Democrats created after World War II -- and that Eisenhower, Nixon and, to some extent, Reagan followed -- have overlain them. In many ways, the Republican tradition of foreign policy is therefore more complex than the Democratic tradition. Roosevelt and the United States as Great Power More than any other person, Roosevelt introduced the United States to the idea that it had become a great power. During the Spanish-American War, in which he had enthusiastically participated, the United States took control of the remnants of the Spanish empire. During his presidency a few years later, Roosevelt authorized the first global tour by a U.S. fleet, which was designed to announce the arrival of the United States with authority. The fleet was both impressive and surprising to many great powers, which at the time tended to dismiss the United States. For Roosevelt, having the United States take its place among the great powers served two purposes. First, it protected American maritime interests. The United States was a major trading power, so control of the seas was a practical imperative. But there was also an element of deep pride -- to the point of ideology. Roosevelt saw the emergence of the United States as a validation of the American experiment with democracy and a testament to America as an exceptional country and regime. Realistic protection of national interest joined forces with an ideology of entitlement. The Panama Canal, which was begun in Roosevelt's administration, served both interests. The Panama Canal highlights the fact that for Roosevelt -- heavily influenced by theories of sea power -- the Pacific Ocean was at least as important as the Atlantic. The most important imperial U.S. holding at the time was the Pacific territory of the Philippines, which U.S. policy focused on protecting. Also reflecting Roosevelt's interest in the Pacific, he brokered the peace treaty ending the Russo-Japanese War in 1905 and increased U.S. interests in China. (Overall, the Democratic Party focused on Europe, while the Republican Party showed a greater interest in Asia.) The second strand of Republicanism emerged after World War I, when Lodge, a Republican senator, defeated President Woodrow Wilson's plan for U.S. entry into the League of Nations. Lodge had supported the Spanish-American War and U.S. involvement in World War I, but he opposed league membership because he felt it would compel the United States to undertake obligations it should not commit to. Moreover, he had a deep distrust of the Europeans, whom he believed would drag the United States into another war. The foundations of Republican foreign policy early in the 20th century therefore consisted of three elements: A willingness to engage in foreign policy and foreign wars when this serves U.S. interests. An unwillingness to enter into multilateral organizations or alliances, as this would deprive the United States of the right to act unilaterally and would commit it to fight on behalf of regimes it might have no interest in defending. A deep suspicion of the diplomacy of European states grounded on a sense that they were too duplicitous and unstable to trust and that treaties with them would result in burdens on -- but not benefits for -- the United States. Isolationism This gave rise to what has been called the "isolationist" strand in the Republican Party, although the term "isolation" is not by itself proper. The isolationists opposed involvement in the diplomacy and politics of Europe. In their view, the U.S. intervention in World War I had achieved little. The Europeans needed to achieve some stable outcome on their own, and the United States did not have the power to impose -- or an interest in -- that outcome. Underlying this was a belief that, as hostile as the Germans and Soviets were, the French and British were not decidedly better. Opposition to involvement in a European war did not translate to indifference to the outcome in the Pacific. The isolationists regarded Japan with deep suspicion, and saw China as a potential ally and counterweight to Japan. They were prepared to support the Chinese and even have some military force present, just as they were prepared to garrison the Philippines. There was a consistent position here. First, adherents of this strand believed that waging war on the mainland of Eurasia, either in China or in Europe, was beyond U.S. means and was dangerous. Second, they believed heavily in sea power, and that control of the sea would protect the United States against aggression and protect U.S. maritime trade. This made them suspicious of other maritime powers, including Japan and the United Kingdom. Third, and last, the isolationists deeply opposed alliances that committed the United States to any involvement in war. They felt that the decision to make war should depend on time and place -- not a general commitment. Therefore, the broader any proposed alliance involving the United States, the more vigorously the isolationists opposed it. Republican foreign policy -- a product of the realist and isolationist strands -- thus rejected the idea that the United States had a moral responsibility to police the world, while accepting the idea that the United States was morally exceptional. It was prepared to engage in global politics but only when it affected the direct interests of the United States. It regarded the primary interest of the United States to be protecting itself from the wars raging in the world and saw naval supremacy as the means toward that end. It regarded alliances as a potential trap and, in particular, saw the Europeans as dangerous and potentially irresponsible after World War I -- and wanted to protect the United States from the consequences of European conflict. In foreign policy, Republicans were realists first, moralists a distant second. Following the Japanese attack on Pearl Harbor and the German declaration of war on the United States in 1941, the realist strand in Republican foreign policy appeared to be replaced with a new strand. World War II, and Franklin D. Roosevelt's approach to waging it, created a new reality. Republican isolationists were discredited politically; their realism was seen as a failure to grasp global realities. Moreover, the war was fought within an alliance structure. Parts of that alliance structure were retained, and supplemented grandly, after the war. The United States joined the United Nations, and the means chosen to contain the Soviet Union was an alliance system, with NATO -- and hence the Europeans -- as the centerpiece. Moralism vs. Realism The Republicans were torn between two wings after the war. On the one hand, there was Robert Taft, who spoke for the prewar isolationist foreign policy. On the other hand, there was Eisenhower, who had commanded the European coalition and had an utterly different view of alliances and of the Europeans. In the struggle between Taft and Eisenhower for the nomination in 1952, Eisenhower won decisively. The Republican Party reoriented itself fundamentally, or so it appeared. The Republicans' move toward alliances and precommitments was coupled with a shift in moral emphasis. From the unwillingness to take moral responsibility for the world, the Republicans moved toward a moral opposition to the Soviet Union and communism. Both Republicans and Democrats objected morally to the communists. But for the Republicans, moral revulsion justified a sea change in their core foreign policy; anti-communism became a passion that justified changing lesser principles. Yet the old Republican realism wasn't quite dead. At root, Eisenhower was never a moralist. His anti-communism represented a strategic fear of the Soviet Union more than a moral crusade. Indeed, the Republican right condemned him for this. As his presidency progressed, the old realism re-emerged, now in the context of alliance systems. But there was a key difference in Eisenhower's approach to alliances and multilateral institutions: He supported them when they enabled the United States to achieve its strategic ends; he did not support them as ends in themselves. Whereas Eleanor Roosevelt, for example, saw the United Nations as a way to avoid war, Eisenhower saw it as a forum for pursuing American interests. Eisenhower didn't doubt the idea of American exceptionalism, but his obsession was with the national interest. Thus, when the right wanted him to be more aggressive and liberate Eastern Europe, he was content to contain the Soviets and leave the Eastern Europeans to deal with their own problems. The realist version of Republican foreign policy showed itself even more clearly in the Nixon presidency and in Henry Kissinger's execution of it. The single act that defined this was Nixon's decision to visit China, meet Mao Zedong, and form what was, in effect, an alliance with Communist China against the Soviet Union. The Vietnam War weakened the United States and strengthened the Soviet Union; China and the United States shared a common interest in containing the Soviet Union. An alliance was in the interests of both Beijing and Washington, and ideology was irrelevant. (The alliance with China also revived the old Republican interest in Asia.) With that single action, Nixon and Kissinger reaffirmed the principle that U.S. foreign policy was not about moralism -- of keeping the peace or fighting communism -- but about pursuing the national interest. Alliances might be necessary, but they did not need to have a moral component. While the Democrats were torn between the traditionalists and the anti-war movement, the Republicans became divided between realists who traced their tradition back to the beginning of the century and moralists whose passionate anti-communism began in earnest after World War II. Balancing the idea of foreign policy as a moral mission fighting evil and the idea of foreign policy as the pursuit of national interest and security defined the fault line within the Republican Party. Reagan and the Post-Cold War World Ronald Reagan tried to straddle this fault line. Very much rooted in the moral tradition of his party, he defined the Soviet Union as an "evil empire." At the same time, he recognized that moralism was insufficient. Foreign policy ends had to be coupled with extremely flexible means. Thus, Reagan maintained the relationship with China. He also played a complex game of negotiation, manipulation and intimidation with the Soviets. To fund the Contras -- guerrillas fighting the Marxist government of Nicaragua -- his administration was prepared to sell weapons to Iran, which at that time was fighting a war with Iraq. In other words, Reagan embedded the anti-communism of the Republicans of the 1950s with the realism of Nixon and Kissinger. To this, he added a hearty disdain for Europe, where in return he was reviled as a cowboy. The antecedents of this distrust of the Europeans, particularly the French, went back to the World War I era. The collapse of communism left the Republicans with a dilemma. The moral mission was gone; realism was all that was left. This was the dilemma that George H. W. Bush had to deal with. Bush was a realist to the core, yet he seemed incapable of articulating that as a principle. Instead, he announced the "New World Order," which really was a call for multilateral institutions and the transformation of the anti-communist alliance structure into an all-inclusive family of democratic nations. In short, at the close of the Cold War, the first President Bush adopted the essence of Democratic foreign policy. This helps explain Ross Perot's run for the presidency and Bush's loss to Bill Clinton. Perot took away the faction of the Republican Party that retained the traditional aversion to multilateralism -- in the form of NAFTA, for example. It was never clear what form George W. Bush's foreign policy would have taken without 9/11. After Sept. 11, 2001, Bush tried to re-create Reagan's foreign policy. Rather than defining the war as a battle against jihadists, he defined it as a battle against terrorism, as if this were the ideological equivalent of communism. He defined an "Axis of Evil" redolent of Reagan's "Evil Empire." Within the confines of this moral mission, he attempted to execute a systematic war designed to combat terrorism. It is important to bear in mind the complexity of George W. Bush's foreign policy compared to the simplicity of its stated moral mission, which first was defined as fighting terrorism and later as bringing democracy to the Middle East. In the war in Afghanistan, Bush initially sought and received Russian and Iranian assistance. In Iraq, he ultimately reached an agreement with the Sunni insurgents whom he had formerly fought. In between was a complex array of covert operations, alliances and betrayals, and wars large and small throughout the region. Bush faced a far more complex situation than Reagan did -- a situation that, in many instances, lacked solutions by available means. McCain: Moralist or Realist? Which brings us to McCain and the most important questions he would have to answer in his presidency: To what extent would he adopt an overriding moral mission, and how would he apply available resources to that mission? Would McCain tend toward the Nixon-Kissinger model of a realist Republican president, or to the more moralist Reagan-Bush model? Though the answers to these questions will not emerge during campaign season, a President McCain would have to answer them almost immediately. For example, in dealing with the Afghan situation, one of the options will be a deal with the Taliban paralleling the U.S. deal with the Iraqi Sunni insurgents. Would McCain be prepared to take this step in the Reagan-Bush tradition, or would he reject it on rigid moral principles? And would McCain be prepared to recognize a sphere of influence for Russia in the former Soviet Union, or would he reject the concept as violating moral principles of national sovereignty and rights? McCain has said the United States should maintain a presence in Iraq for as long as necessary to stabilize the country, although he clearly believes that, with the situation stabilizing, the drawdown of troops can be more rapid. In discussing Afghanistan, it is clear that he sees the need for more troops. But his real focus is on Pakistan, about which he said in July: "We must strengthen local tribes in the border areas who are willing to fight the foreign terrorists there. We must also empower the new civilian government of Pakistan to defeat radicalism with greater support for development, health, and education." McCain understands that the key to dealing with Afghanistan lies in Pakistan, and he implies that solving the problem in Pakistan requires forming a closer relationship with tribes in the Afghan-Pakistani border region. What McCain has not said -- and what he cannot say for political and strategic reasons -- is how far he would go in making agreements with the Pashtun tribes in the area that have been close collaborators with al Qaeda. A similar question comes up in the context of Russia and its relations with other parts of the former Soviet Union. Shortly after the Russian invasion of Georgia, McCain said, "The implications of Russian actions go beyond their threat to the territorial integrity and independence of a democratic Georgia. Russia is using violence against Georgia, in part, to intimidate other neighbors such as Ukraine for choosing to associate with the West and adhering to Western political and economic values. As such, the fate of Georgia should be of grave concern to Americans and all people who welcomed the end of a divided Europe, and the independence of former Soviet republics. The international response to this crisis will determine how Russia manages its relationships with other neighbors." McCain has presented Russia's actions in moral terms. He also has said international diplomatic action must be taken to deal with Russia, and he has supported NATO expansion. So he has combined a moral approach with a coalition approach built around the Europeans. In short, his public statements draw from moral and multilateral sources. What is not clear is the degree to which he will adhere to realist principles in pursuing these ends. He clearly will not be a Nixon. Whether he will be like Reagan, or more like George W. Bush -- that is, Reagan without Reagan's craft -- or a rigid moralist indifferent to consequences remains in question. It is difficult to believe McCain would adopt the third option. He takes a strong moral stance, but is capable of calibrating his tactics. This is particularly clear when you consider his position on working with the Europeans. In 1999 -- quite a ways back in foreign policy terms -- McCain said of NATO, "As we approach the 50th anniversary of NATO, the Atlantic Alliance is in pretty bad shape. Our allies are spending far too little on their own defense to maintain the alliance as an effective military force." Since then, Europe's defense spending has not soared, to say the least. McCain's August 2008 statement that "NATO's North Atlantic Council should convene in emergency session to demand a cease-fire and begin discussions on both the deployment of an international peacekeeping force to South Ossetia" must be viewed in this context. In this statement, McCain called for a NATO peacekeeping force to South Ossetia. A decade before, he was decrying NATO's lack of military preparedness, which few dispute is still an extremely significant issue. But remember that presidential campaigns are not where forthright strategic thinking should be expected, and moral goals must be subordinate to the realities of power. While McCain would need to define the mix of moralism and realism in his foreign policy, he made his evaluation of NATO's weakness clear in 1999. Insofar as he believes this evaluation still holds true, he would not have to face the first issue that Barack Obama likely would -- namely, what to do when the Europeans fail to cooperate. McCain already believes that they will not (or cannot). Instead, McCain would have to answer another question, which ultimately is the same as Obama's question: Where will the resources come from to keep forces in Iraq, manage the war in Afghanistan, involve Pakistanis in that conflict and contain Russia? In some sense, McCain has created a tougher political position for himself by casting all these issues in a moral light. But, in the Reagan tradition, a moral position has value only if it can be pursued, and pursuing those actions requires both moral commitment and Machiavellian virtue. Therefore, McCain will be pulled in two directions. First, like Obama, he would not be able to pursue his ends without a substantial budget increase or abandoning one or more theaters of operation. The rubber band just won't stretch without reinforcements. Second, while those reinforcements are mustered -- or in lieu of reinforcements -- he will have to execute a complex series of tactical operations. This will involve holding the line in Iraq, creating a political framework for settlement in Afghanistan and scraping enough forces together to provide some pause to the Russians as they pressure their periphery. McCain's foreign policy -- like Obama's -- would devolve into complex tactics, where the devil is in the details, and the details will require constant attention. The Global Landscape and the Next President Ultimately, it is the global landscape that determines a president's foreign policy choices, and the traditions presidents come from can guide them only so far. Whoever becomes president in January 2009 will face the same landscape and limited choices. The winner will require substantial virtue, and neither candidate should be judged on what he says now, since no one can anticipate either the details the winner will confront or the surprises the world will throw at him. We can describe the world. We can seek to divine the candidates' intentions by looking at their political traditions. We can understand the intellectual and moral tensions they face. But in the end, we know no more about the virtue of these two men than anyone else. We do know that, given the current limits of U.S. power and the breadth of U.S. commitments, it will take a very clever and devious president to pursue the national interest, however that is defined. Tell Stratfor what you think This report may be forwarded or republished on your Web site with attribution to www.stratfor.com For media interviews, contact pr@stratfor.com or call 512-744-4309 If you're not already receiving Stratfor's free intelligence, CLICK HERE to have these special reports e-mailed to you. Copyright 2008 Stratfor.

Terrorism Weekly : The Second Cold War and Corporate Security

2008-09-03T20:09:00.003-05:00

(republished by permission of Stratfor.Com)

For my business colleagues, note the Implications for Business section below.

Strategic Forecasting, Inc.
---------------------------

THE SECOND COLD WAR AND CORPORATE SECURITY

By Fred Burton and Scott Stewart

A lot has been written about last month's conflict between Russia and Georgia, and the continuing tensions in the region. Certainly, there were many important lessons to be gleaned from the conflict relating to the Russian military, Russian foreign policy and the broader geopolitical balance of power.

One facet of the Russian operations in Georgia that has been somewhat overlooked is the intelligence aspect. Clearly, the speed with which the Russian military responded to the Georgian invasion of South Ossetia indicates that they were not caught off guard. They knew in advance what the Georgians were planning and had time to prepare their troops for a quick response to the Georgian offensive.

It is important to remember that the Russian operation in Georgia did not happen in a vacuum or without warning. It was a foreseeable outcome of the resurgence of Russian power that began in 1999 when Vladimir Putin came to power, and an outward demonstration of Russia's increasing assertiveness. One important element of Russia's ascendancy under Putin has been a resurgence of the Russian intelligence agencies. The excellent intelligence Russia had regarding Georgian intentions in South Ossetia is proof that the Russian intelligence agencies are indeed back in force. But Putin's rise to power clearly demonstrates that while these intelligence elements may have been weakened, they were never totally gone.

As pressure continues to build between Russia and the West -- and as we perhaps slip closer to a second Cold War -- it is worth remembering that an actual armed conflict between NATO and the Warsaw Pact never took place despite military tension and some warfare between proxies. Rather, the Cold War was fought largely with intelligence services. Certainly, the Cold War led to the birth and rapid growth of huge intelligence agencies on both sides of the Iron Curtain. These intelligence agencies will also play a significant role in the current strain between Russia and the West.

The world has changed dramatically since the fall of the Soviet Union in 1991. In this age of globalization, e-commerce and outsourcing, there are many more Western companies with interests in Russia than during the Cold War. This means that an escalation of Cold War-type intelligence activity will have profound effects on multinational corporations.

Historical Context

The time period following the fall of the Soviet Union was catastrophic for Russia -- workers went unpaid, social services collapsed and poverty was epidemic. The oligarchs seemingly stole everything that was not nailed down and organized crime groups became extremely powerful. Public corruption, which had been endemic (though somewhat predictable) in the old Soviet system, worsened dramatically. Many Russians were ashamed of what their country had become; others feared it would implode entirely.

Into this chaos came Vladimir Putin, a former Soviet intelligence officer who ascended in Russian politics due in part to his significant connections. But Putin's rise was also largely aided by his firm handling of the second Chechen war in 1999 and the fact that he offered the Russian people hope that their national greatness could somehow be restored. While Putin left the Russian presidency in May 2008 and is now the prime minister again (as he was in the final months of the Yeltsin presidency), he continues to be immensely powerful and extremely popular. Most Russians believe Putin saved Russia from sure destruction.

A major part of Putin's strategy to regain control over the government, economy, oligarchs and organized crime groups was his program to reorganize and strengthen the Russian intelligence agencies, which had been severely atrophied since the fall of the Soviet Union. During the 1990s, politicians such as Mikhail Gorbachev and Boris Yeltsin saw a powerful intelligence agency as a potential threat -- with good reason. Because of this threat, laws were enacted to fracture and weaken the once-powerful agency. In 1991, the KGB was dismantled after a failed coup against Gorbachev in which some KGB units participated and tanks rolled onto Red Square.

Following additional failed coup attempts, the Federal Counterintelligence Service (FSK), the KGB's immediate successor, was split into several smaller agencies in 1995 under the perception that it remained too powerful. By creating competition among the smaller intelligence services, higher-ups hoped that additional coup attempts could be avoided. Following this shattering of the FSK, the counterintelligence core of the former KGB and FSK became known as the Federal Security Bureau (FSB). The foreign intelligence portion of the FSK became the Foreign Intelligence Service (SVR).

When Putin came into power, he instituted an ambitious plan to reconstitute the FSB. He has steadily worked to reconsolidate most of the splinter intelligence agencies back under the FSB, correcting much of the inefficiency that existed among the separate agencies and making the new combined agency stronger and more integrated. Moreover, since 1999, Putin has ensured that the FSB receive large funding increases to train, recruit and modernize after years of disregard. Currently, the SVR remains separate from the FSB, but other crucial components such as the Federal Border Service and Federal Guard Service have been reintegrated, as has the Federal Agency of Government Communications and Information (FAPSI), Russia's equivalent of the U.S. National Security Agency.

Additionally, Putin has tapped many former KGB and current FSB members to fill positions within Russian big business, the Duma and other political posts. Putin's initial reasoning was that those within the intelligence community thought of Russia the same way he did -- as a great state domestically and internationally. Putin also knew that those within the intelligence community would not flinch at his sometimes brutal means of consolidating Russia politically, economically, socially and in other ways. It could be reasonably argued that Russia has become an "intelligence state" under Putin.

Since assuming power, Putin has also worked to strengthen the Russian military and the GRU, Russia's military intelligence agency. The GRU was undoubtedly very involved in the operation in Georgia, as was the SVR. There are some who suggest that Russian agents of influence may have played a part in convincing Georgian President Mikhail Saakashvili to attack South Ossetia and spring a trap the Russians had set.

Implications for Business

Since the fall of the Soviet Union, foreign corporations have been very busy in Russia as they scramble for market share, attempt to profit from Russia's massive natural resources and seek to meet growing demand for consumer products. For these companies, growing Russian nationalism and tension with the West increases both the chance of regulatory and legal hassles and the possibility that Russian intelligence activity might be directed their way. In other words, as tensions rise, so could the risk for Western corporations.

Not all these problems are new. As a young KGB officer, Putin earned his living by stealing technology from the West. And he has since encouraged Russian intelligence agencies to expand their collection programs with the awareness that such information can assist the Russian economy and specifically the revival of the defense sector. While the Russians have an advanced weapons research and development infrastructure, they are very pragmatic. They do not see the need to spend the money to develop a technology from scratch when they can steal or buy it for a fraction of the cost and effort. This pragmatism was clearly demonstrated in their early nuclear weapons program.

Just as Russia's reinvigorated intelligence collection efforts were gaining steam, the United States was hit by the 9/11 attacks. As a result, domestic intelligence agencies in the United States and many other Western nations focused on the counterterrorism mission and diverted counterintelligence resources to help in that fight. It would take several years for the domestic counterintelligence efforts to get back to their pre-9/11 levels, and like the Chinese, the Russian intelligence services took broad advantage of that window of opportunity to recruit sources and obtain critical information from foreign companies. Additionally, the Russians have gone to great lengths to steal intellectual property from foreign firms operating inside Russia, either by infiltrating their companies with agents or by recruiting employees.

The Russians are not only drawn to companies that produce sophisticated military equipment. Like the Chinese and others, they are interested in collecting information on emerging technology that is not yet classified but has potential military application. These sectors include materials research, nanotechnology, advanced electronics and information technology. Ultimately, however, they will not turn their backs on the opportunity to obtain sophisticated current weapons system data.

Russian collection and recruitment efforts will also not be confined to Russia or the United States. The Russians can gain as much information by recruiting an American businessman in Tokyo, Vienna or Mexico City as they can from one they recruit in New York or Seattle, if they choose their target wisely. The Soviets and Russians have long enjoyed operating out of third countries. During the Cold War, their primary platform for collecting intelligence against the United States was Mexico City, and their preferred platform to collect against European targets was Vienna.

Former KGB officers are also heavily involved in trafficking Russian and Eastern European women for prostitution in Tokyo, Dubai and Miami. These former KGB officers could easily utilize their positions of access to identify potential recruits for friends at their old agency, perhaps for a profit -- consider how many former intelligence officers now are working as contractors for U.S. intelligence. The FSB/SVR might not be the KGB in name, but they clearly are the KGB in spirit and will not hesitate to use sexual or other blackmail if that is more effective than money, ideology or ego as a recruiting hook.

For Western companies operating inside Russia, an increase in tensions will, in all likelihood, mean an increased scrutiny of the companies' activities as well as an increased focus on their expatriate employees in an effort to recruit sources and to locate Western intelligence officers. Like it or not, all intelligence agencies use nonofficial cover to get their officers into hostile countries -- and corporate cover is widely used. Indeed, the Russians have long claimed that the United States and other countries have been using businesses and nongovernmental organizations to provide cover to intelligence officers seeking to undermine Russian influence in the former Soviet Union and to operate inside Russia itself.

Nonofficial cover officers (referred to as NOCs in intelligence parlance) are intelligence officers without visible links to their government and therefore not protected by diplomatic immunity. For this reason, NOC operations are somewhat riskier. Harder to identify as intelligence officers, NOCs are frequently assigned to sensitive tasks -- those that a host country counterintelligence service would dearly love to learn about.

Keeping this in mind, Russian counterintelligence services will be carefully looking over the business visa applications of Western companies. Surveillance activities on expatriate employees will also likely increase as the Russians work to identify any potential undercover intelligence officers. They will also seek to recruit expatriate and local employees who can act as spotters to identify any potential intelligence officers.

This surveillance of Western businesses may apply to both corporate offices and employees' residences. Businessmen may be physically surveilled and their residences subjected to technical surveillance and mail/garbage covers. Domestic workers may also be recruited in an effort to collect information on their employers. Known or suspected NOCs will be carefully watched and will likely even be overtly harassed.

So far, we have not heard of the Russians directing this type of aggressive surveillance activity against U.S. companies, or of U.S. companies having problems obtaining visas for their employees. But as the tensions increase between Russia and the United States, and as intelligence operations become increasingly hostile, it is only a matter of time before they do.

Privacy Advocacy, System Design, and Consumer Convenience

2008-06-12T15:40:00.005-05:00

When I think about the properties of a system that requires personally identifiable information, two immediately come to mind. First, as a party relying on such information, I collect personally identifiable information (PII) in order to facilitate the discharge of an obligation on the part of the person who is the ostensible subject of the information. Once that obligation has been discharged (I have been paid), its has no further reason to exist.

However, consumers like "convenience" when returning to, say, BuyMyStuff.com - and thereby delight in allowing BuyMyStuff to retain their credit card numbers, expiration dates, and CVC code, (even though the latter is intended to demonstrate the physical presence of the card used). Merchants are happy to offer that convenience if it means customers will more frequently visit their site instead of a competitors. The unintended side-effect of the merchant's retention of this data is the creation of a target of opportunity.

One might argue that Privacy advocacy has reduced indiscriminate PII retention, or at least offered consumers with clearer "opt-out" clauses that have the same effect, and especially for cases where a Merchant retains consumer information in order to target them with more focused sales and marketing campaigns.

But the first case is the more problematic one, in that rather than retaining preferences and buying behaviours for the simple purpose of facilitating more spending, it is an attack vector for those who want to perpetrate fraud against the subjects of the data and their CC providers. You might call this kind of retention bad. I would agree.

There is also a privacy case which questions the extent to which governments should be permitted to surveil their populace. The data aggregation implied by the so-called "Real-ID" effort represents such a case, and paranoia aside, should give us reason to pause and ask "Why?"

Systems designed with the principle of Fitness -for-Purpose necessarily constrain themselves to capabilities which support their primary objectives. The more general the design of "General Purpose Systems," the more unintended side-effects they will exhibit when broadly deployed. I believe this will be observed whether for so-called "Identity Management" (if it looks like user administration . . ., etc.) or "National Security" ("lets keep our borders secure!").

At the end of the day (I'm going home in a minute) - the systems we deploy should reflect explicit requirements and expected consequences, not hidden agendas and/or unintentional consequences. Our jobs should be to discover each, and be scrupulously honest about their implications to our customers and society at large. The degree of rancor which can be observed in this debate outside of our happy little corporation is I think a measure of the public's distrust of us in our design, or vendors (or governments) in their deployments. We might consider what it means to address each.

RSA 2008

2008-04-15T22:21:00.005-05:00

Amazingly I was invited to speak a this year's RSA Conference in San Francisco. The topic was Digital Identity and Service Oriented Architecture. I even got to use my new green 5mw laser pointer. I got to use neo-logisms, talk about hebephrenia, and address the current state of federated identity management. I'll post the links to the presentation and mp3 here when published later this month.

Behnam Dayanim of Paul Hastings, and Ed Reed - Privacy Officer of EDS had a useful talk on international compliance. Ben is pointed and clear. Ed - passionate and distinct. I commend their chat when its available.

The RSA speaker's dinner (awesome h'ourdourves!) was held at the old Federal Reserve Building on Battery, and I got to eat at the BEST sushi bar in San Francisco before my departure, Hamano Sushi, 1332 Castro - to which I was recommended many years ago by the concierge of the then All Nippon Airways (ANA) Hotel (now the Argent Hotel). Hamano Sushi is a neighborhood sushi bar, with an exquisitely fresh menu, and a delightful staff. Go , eat, enjoy! (But don't tell ANYBODY!)

I've been remiss in blogging this year. My apologies. May this year bring useful thoughts to you who've been directed my way. Bless you.

Vista Woes and Blithe Ignorance

2008-03-10T10:53:00.003-05:00

My friend Michael sent me the following NY TImes Story, "They Criticized Vista. And They Should Know."

"A colleague's had a glossary of various definitions of "IBM." My favorite is of course "I Buy Mac."

Having just upgraded to Leopard (Mac OS X 10.5) I am happily using all my "old stuff," along with some new software that was upgraded for Leopard users in mind. Oh yeah - in 3 years (this may) I haven't had one virus infection, only 2 system crashes (with the very first version of "Tiger" 3 years ago), and it just seems to connect and work. Even Lotus Notes runs natively and hasn't crashed since I moved to its GA release from the MAC beta.

What's this got to do with Microsoft? Nothing. I think that's the beauty of it.

Web 2.0 - is the Canary Dying?

2007-11-07T21:46:00.000-06:00

My friend Ben says that AJAX is the canary in the coal mine of Web 2.0.

Could poor AJAX application design be the carbon monoxide that lulls it into a permanent sleep?

We've recently been hearing complaints like "Your {web,app,proxy,security}-server is breaking my AJAX application!" It appears that multi-threaded AJAX clients are getting confused when their various HTTP requester threads receive unexpected HTTP responses.

The key is "unexpected HTTP responses."

We've seen no problem with AJAX or other JavaScript based clients that make sure that their HTTP requests and response handling follow the HTTP spec. AJAX client failures related to HTTP can generally be traced to a failure to properly process HTTP responses. The most common problem with AJAX clients is that their writer's make assumptions about the kind of HTTP responses they expect, rather than to follow the spec and handle whatever could legally arrive as the response.

Then there is the implication that the aforementioned {web,app,proxy,security}-server know that its receiving requests from a single AJAX client.

Imagine 50 browsers with users simultaneously performing an HTTP Get on a server protected URL. Then imagine a single AJAX client doing the same thing. There is nothing in the HTTP protocol that enables the server to distinguish the browser requests from those of the AJAX client, or correlate the AJAX client's requests. Neither HTTP User Agent - simple browser or AJAX clients - can make assumptions about the nature of any others HTTP requests. In the case of requests coming from multiple Browsers, this of course seems obvious; perhaps less so with multiple and asynchronous requests from a single AJAX client.

Cross-Request Correlation?

HTTP State Management (Cookies) or other state management techniques (like SSLID) must be initialized some way from the client. In a security environment - this initialization generally reflects an authentication event. If the authentication and state mechanism results in a portable artifact like an HTTP Cookie, there's nothing to stop the user agent (browser or AJAX client) from sharing it with other requesters - especially if its an AJAX client spawning multiple requests. But the important point is that the application must manage and synchronize "authentication state," including any state artifacts, across it's threads' requests.

If HTTP requests are to be coordinated in an application, two things must happen. The first is that each and every HTTP request should be prepared to handle any legal HTTP response specified in RFC 2616. Secondly, it must assure that it only assumes what it itself controls. If the application sends multiple requests, then it may use cookies or some other construct to "maintain state" between serialized requests, or may even "share cookies" across parallel/simultaneous requesters to do so across it's separate threads. But it's the application that must do so. To assume without explicit coding that all threads automatically share any other thread's state is a classic parallel processing design error.

A well behaved AJAX client would assure that each thread capable of sending an HTTP request could handle both the full array of legal HTTP responses (200 ok, 302 found, 401 unauthorized, 500 internal server error, authentication challenges, etc.) and effectively manage any parallel connection(s) it spawned.

The fundamental challenge we face is that many AJAX applications are poorly executed and fail to fulfill the HTTP contract by not being able to handle arbitrary but legal HTTP responses. They don't know what to do with login pages, redirects, displacement pages, etc. The server that could detect and anticipate an ill behaved HTTP requester, and modify its behavior accordingly would be omniscient indeed.

AJAX is great technology, but magic it ain't.

of Hubris and Humility

2007-10-17T06:04:00.001-05:00

It is said that hubris is not the act of thinking too highly of oneself, but rather not thinking highly enough of others.

It is the latter, not the former that reveals the inner working of our heart, the orientation of our conduct, and our true attitude towards ourselves. One who has high regard for others need not deprecate ones own abilities, gifts, talents, or choices. Indeed, a healthy and accurate view of oneself, of both ones strengths and weaknesses reveals itself in the strength to value, even honor the gifts and abilities of others. The failure to do so is not only a failure to recognize the value represented by the achievement of others, but it also reveals a depth of insecurity that underscores a truly self-centered attitude and the behaviour by which it is marked.

Jesus walked in humility, and that humility was not bred in insecurity, but rather in the absolute knowledge that though "He existed in the form of God, He did not regard equality with God a thing to be grasped, but emptied Himself, taking the form of a bond-servant, and being made in the likeness of men." The man who drove the currency exchange out of the temple with a hastily assembled whip was no wimp. Neither was the man who washed his own disciples feet. It was precisely because He was secure in the Identity given him by His Father that he could do so, and teach those who would follow Him the way by which they might share both his attitude and His service.

ref: Phillipians 2:6-7, Isaiah 60:1-2a

Tilting at Windmills 1: Identity Management v Access Control Management

2007-10-16T12:54:00.000-05:00

I said I'd say why I use the term access control rather than the term identity management. I'm tilting at windmills, I know - but I don't think we manage Identities - though its a cool marketing idea. In fact we manage symbols we bind to notions of real persons like "Alice" or "Bob", and that we bind to non-real but useful notions such as "root," or "Administrator." We manage identifiers, which may be defined as the attributes of entities, real and non-real, having representations in some system. A login identifier or username is no more an identity than is my driver's license. The latter is in fact a certificate that contains identifying attributes about me; it is neither me nor my identity.

Access control management is the name that has historically (until about 2001) encompassed the management of subjects or users - their names and symbolic references; objects, resources, or targets - entities on which subjects may act; actions which describe what actions a subject may execute upon an object; and conditions or context unrelated to attributes of subjects or objects, which will inform an access control decision. Separating user administration from access management and calling it Identity Managment, has had debatable success from a number of perspectives.

Renaming something may enable us to look at it from different perspectives, and learn new things about it. The whole introduction of life cycle management into user administration has been a demonstrable benefit of identity management. But this wasn't a consequence of renaming it, it was a consequence of trying to address user administration in enterprise scale. I think the confusion caused by the divorce between access control management and user administration, I'm sorry - Identity Management - may have provided short term marketing benefits, but in the long run it has damaged the application of well founded principles.

While marketing departments and techno-strategists will vociferously defend their newly named product or try to explain why identity management is not user administration, or for that matter why SOA isn't client/server, or an attribute service isn't a virtual or meta-directory - call me a fundamentalist (no fun, and slightly mental) - but I ain't buyin' it.

~r

Identity Mashups and Gravy . . .

2007-10-15T13:56:00.000-05:00

Identity Mashup refers to the problem of properly rendering distributed information controlled by separate entities. Identity only refers to the type of information, and is important as a distinction only insofar as it relates to the access control model (user-centric policy control) and not to the information (user attributes).

For those inclined towards reductionism, the entire Identity Mashup/User-Centric Identity/Privacy/Cardspace/Higgins/SXIP constellation simply concerns access control and its management. That suggests to me at least that we can employ a fundamental understanding of access control theory to the problem. (Why access control and not Identity Management in following blog)

Traditional access control is implemented with a centralized security policy model such that access control policy is centrally administered across the resources protected. User-centric access control turns this model on its head - giving the users or account holders the ability to set access control policy on attributes associated with themselves.

User-Centric access control is related to the privacy problem. Its about a non-system owner (a user) controlling access control policy on data elements specifically delegated to it by the system owner (service). But in the end its all about the enforcement of a policy that says who can get to what when. It not important that the what are attributes about a particular person to the essential technical problem.

There are at least two differences between traditional access control systems and those that are user-centric. The first concerns who controls the governing policy - not the mechanism by which access control is effected. The second is akin to the digital rights management (DRM) problem - how to control access and use of remote information.

Cardspace, Higgins, and OpenID seek to address the first concern, providing the user with mechanisms to specify the information (user attributes) to which the user is willing to grant access. The second is problematic if the system on which the information to be accessed is not directly within the user's control, and its not by definition. The problem is exponentially more complicated if the information is distributed across multiple systems, which likely it is.

The system of which the Mashup is a part, is concerned with accessing potentially distributed sources of user data, and doing so in a manner that user-specified or otherwise distributed policy can be reliably enforced. This is true whether the implementation is an Eclipse Project Higgins Identifier Agent, Micrsoft(R) CardSpace, Higgins' Identifier Attribute Service (IdAS), Facebook, MySpace, or LinkedIn. Its also true whether the content of the mashup is rendered on the browser via Ajax or on LinkedIn as an aggregation of my connections' profiles.

Bob Blakley in his recent Burton blog reiterates his long held position that privacy (user-centric policy management) problems are at their core legal, social, and economic problems. I contend legal, social, or economic solutions are the default when the technical problem is intractable, its solution illusive or incomplete. Even if the enforcement challenge of Identity Mashups can be solved - the DRM aspects of user-centric policy management suggest that technical solutions for Identity 2.0 may suffer a similar fate as those for DRM. Certainly legal recourse is the soup du jour for those whose technologies are insufficient to the access control challenge. Can you spell RIAA?

OpenID - New Threat or Misdirection?

2007-09-11T19:06:00.000-05:00

My friend Ivan aimed me here. Suffice it to say this post (and its myriad of contributors) have illuminated OpenID's risks far better than could I.

But I have to ask, (this one's for you, Ivan), why ALL the incredible attention to OpenID, when the largest bank in the US continues to foist upon its customers commercial security snake oil that remains susceptible to MITM. It has now compounded its sins by adding "mobile authentication" as yet another mechanism by which you, the hapless victim, are "assured" your transaction is safe despite being routed through a man-in-the-middle.

The security principle violated in this "security technology" is the registration principle: Authentication requires prior registration of user and credentials in a channel distinct from the authentication channel. The registering of a "new" computer in the same channel as authentication occurs enables MITM - which this video demonstrates.

In "fairness," what do you, the user have to do wrong in order for this vulnerability to be exploited.

User doesn't validate the SSL session (and associated certificate) of the site to which you're routed. If the user clicks-through the SSL warning (certificate not recognized or doesn't match URL) you've done wrong. But if you type https://www.bofa.com instead of https://www.bankofamerica.com you're browser will tell you the certificate might be bogus - but you'll "click-through" any way because it looks like BofA. Doesn't it?
You enter your username but the site says it doesn't recognize your computer and asks you the name of your favourite poodle (or whatever challenge phrase you've established). You logged in with this computer yesterday, but what the heck - maybe BofA is confused. You respond "Fifi." You've done wrong. It didn't recognize you because you were communicating with a "zombie" which in turn was communicating with your bank as if it were you. You've just registered the "zombie" as an authorized device for your account and didn't even know it. Of course "adaptive security" will mitigate the number of accounts that are accepted from one zombie. But how many zombies are needed to clean out your account? (Answer: 1)
After "re-registering" your computer, which might legitimately occur if you've cleaned your cookie cache for example, your bank shows you the picture of the emperor penguin you previously selected as your authenticating penguin. You believe this "proves" you're talking to your bank. You've done wrong. The lawyers will claim it DOES prove you're talking to your bank. The problem is that it DOESN'T PROVE you're not talking through a THIRD PARTY who has just acquired enough data to electronically transfer money out of your account to the max limit each day until either you notice strange withdrawals or you account is over drafted when your mortgage check hits.

How do you do right?

Validate certificates in an SSL session. Check that your browser is using an SSL URL like https://... NOT http://... and that the certificate is recognized by the browser.
Learn how SSL works. Talk to your friends about it. Discuss it at dinner with your kids. Bring it up at your church group. Don't expect others to know what you do not. There's nothing wrong with not knowing how to lock your door. But going on vacation while leaving your valuable inside without this knowledge is just foolish. Ask until someone can answer in a way you can understand.

SSL is neither convenient, simple, or consumable. But who ever said holding on to money was?

SSL can provide real security. That other stuff is a digital platitude of the deceptive kind.

Cheers!

Protection Racket or Libel Suit?

2007-08-06T22:03:00.001-05:00

CNet News.com has reported that

... as part of VDA's business model, vendors are asked to pay for the bugs it discovers, or its consulting services, otherwise VDA threatens to sell the bug to a third party or make the details of the security flaw public.

Is VDA's founder Jared DeMott just another racketeer? Or is there a libel suit on the winds?

Findlaw says that most states define extortion as "the gaining of property or money by almost any kind of force, or threat of 1) violence, 2) property damage, 3) harm to reputation, or 4) unfavorable government action."

"Pay up or else!" seems to be what CNet is reporting about VDA. But then again, I'm no legal scholar.

Apparently neither is Mr. DeMott.

Don't Miss!

2007-08-06T18:37:00.000-05:00

A couple of "don't miss" articles might be useful.

Jeff Crume's recent article on the myths and reality of Directories is a positive discussion of a topic that has been a source of considerable teeth gnashing if not outright nonsense.

Infoweek claims hacking attempts are up 81% this year, riding on the backs of Man In The Middle Attack kits reported to being sold at various hacker sites.

MITM based phishing continues to be not only theoretically possible, but a straight-forward exercise for anyone conversant in HTTP based technology. My new friends at Indiana University illustrate the an alternate view of the problem I discussed in a previous post. They also have a nice repository of papers if you're interested in a more academic treatment of phishing.

Cheers!

~r

Instance-Level Access Control

2007-07-20T14:29:00.000-05:00

In the world of Twitter, OpenID, and Web 2.0, you might expect to find this in an archive from 2004 - but here it is. If you don't want to read all of it, the bottom line is:

The failure to adequately define and specify terms renders the the development of security software an unknown and thereby risky venture,
Instance Level Access Control is typically used to mean access control that is more specific than what you have today, and
Application developers and users don't care about fuzzy terms if the software they're using does something useful and/or is fun.

The solution

Define all terms, especially if they pertain to security, risk, privacy, or compliance; and the applications that feature them.
Do #1 even if you think "everyone" knows what you mean. They probably don't.
Instance Level Access control generally means understanding a protected resource at the level at which its expressed by an application. If so, it reflects the level at which the semantics of access control can be captured enforced.

Instance-Level Access Control?

I contend that in application architecture and for a host of non-security specific technologies, a certain degree of fuzziness of terms its not harmful and may even aid use and adoption. An user discovers capability despite or perhaps in spite of what it is called, and just appreciates the fact that it does something useful for them.

Whereas this fuzziness may be a great strategy for the conceptualization, design, and development of certain types of application, it has deleterious effects on the realization of security capability, generally inhibiting the goal of risk mitigation. This is simply because risk is proportional to uncertainty.

Consider the Federal Financial Institutions Examination Council (FFIEC) and its regulations around an institutions "Customer Identification Program" (CIP). While the intent is clearly to have in place mechanisms by which an institution can reasonably identify its customers, (no complaint there), various vendors have invented new terms like "2nd Factor" or "Multi-Factor" authentication.

Some of the new "2nd factor" and "Multi-factor" authentication products fulfill the regulation while providing additional security capabilities not required by FFIEC. One of these is a popular vendor's version of mutual authentication which is a potential new threat vector and reported to be exploitable by phishers. While perhaps a good subject for a subsequent post this particular technology is only an example. My point is that the arbitrary use of previously precise terms leads fuzzy product targets and the misunderstanding of their characteristics. This results in a myriad of negative consequences for both product designers and their consumers.

So what of Instance Level Access Control? Bottom line is that I don't know what people mean when they tell me they need "instance level access control," (If you do, please comment!) because each has person/organization/document means something different. A security document's failure to adequately define its terms, or to assume that it shares with the reader a common understanding ends in predictable, if unfortunate results.

At the risk of being just one more voice in the cacophony (don't you talk about instance level authorization at your dinner table?) let me go back to a time when J2EE security started to address its access control requirements with a model that included users and their identities in access control decisions, rather than just the system's code as system entities.

The original model provided for access control at the level of Java classes and methods on those classes. The result was that you could determine unambiguously (most of the time) whether or not a particular combination of user, class, and method was implied by a particular request. The "instance level" problem was (and still is) that there was (is) no way to distinguish between an object named "Ford Motor Company" as an instance of the class "AutoManufacturer," from an object "Bayerische Motor Werke" also of the class "AutoManufacturer." This meant that there was (is) no way at the EJB container to enforce policy whereby one set of users could work only with Ford (objects), and the other set only with BMW.

Java Authorization Contract with Containers (JSR 115) promised to correct all this. What it gave us was the previous J2EE model (must maintain backward compatibility of course!) - and what my friend refers to as "a hole in the container through which to push stuff." This "hole in the container" is expressed in a "context handler" which is code you or your staff write to tell the container how to perform access control on particular classes. This "hole" provides a mechanism to distinguish one object from another, by descriminating on instance data in the class, maybe a field called "Name" for example. Thereby you can write authorization policy which differentiates between two different objects (distinct class instances) of the same class.

But note, there is nothing in JACC that gives you general Java object instance level access control, unless you consider an EJB method's parameters to define an instance. My friend also likes to point out that container based security - beyond the specification's mandatory container types (Web, EJB, etc.) - is about externalizing into the container based mechanism code you'd have to write inside your applications to enforce access control policy anyway.

One might envision a JACC based context handler that might be able to introspect all the public (and dare I say private?) fields in an object, and then based on some meta-data be able to divine what to do with it. But then I've thrown OO's encapsulation out the window, that we tend to consider good qualities of object oriented design and development.

The example may seem strained - but this is more an example perhaps of overpromising and under delivering. I contend the "original" instance based problem was as I have characterized it - distinguishing two distinct instances (objects) of the same class at run time. JACC aimed and didn't achieve it (yet). I think the example is relevant because Instance Level or Instance Based authorization was given as primary objective for the specification. At best, instance based access control in JACC is under-specified; and it certainly isn't delivered with the mandatory compliance requirements it describes.

This isn't a slam of J2EE security. It is intended however to distinguish between what is suggested by terms such as "delivers instance based security" and what it actually does. It is a useful marketing term, if you want to imply capability your customer's can't yet achieve but for which they'd buy your product if they could. My marketing friends tell me this is a cynical view. I suggest it may be cynical of them to say so.

If you've made it this far, you're either an obsessive geek or will read anything. Thanx.

~r

of Legislators and Software Architects

2007-07-03T10:20:00.000-05:00

I resisted as long as I can. I was invited today to participate with some of my more learned colleagues in the writing a paper the objective of which is 'to define a new set of IT requirements for more effective and efficient design and implementation of “Internal Control”...'

Why on earth should anyone want to define a new set of IT requirements, when I'd venture to guess most IT professionals would confess no lack of requirements, and indeed, would prefer some of the old ones closed?

In this matter software architects are becoming like legislators, or worse, yellow-journalists: If they don't have or don't like the requirements (or laws or news) which reflect a business driver (or policy implementation or news) for their activity, they will now employ their friends to create new and improved ones.

We don't need new requirements, we need to solve the hard problems that we've obscured with new technology. Remember "distributed computing?" It was to be solved with network services then RPC then DCE then CORBA, and now SOA. Remember "access control?" ACL's vs RBAC, MAC vs DAC (ok I'm mixing my metaphors) - let's not solve the problem, lets rename the solution. Access control to Access Management to Identity Management to Federated Identity Management to Identity Enabled Services to ...

Of course who ever made a career by solving old problems. The lesson is, if you don't like the work you're doing, create some new work.

"Meet the New Boss, same as the Old Boss..."

~ciao~

Welcome to the Ronosphere

2007-06-14T00:38:00.000-05:00

Stay tuned!