Dr. Evil’s Milk Run

Following is a guest post from my friend Eliot Peper. I met Eliot several years ago when he approached me about his first book. I loved his writing and FG Press went on to publish Eliot’s first two books – Uncommon Stock: Version 1.0 and Uncommon Stock: Power Play.

Eliot’s third book, Uncommon Stock: Exit Strategy came out recently and the topic is particularly timely. Enjoy some deeper thoughts of his on why. Oh – and grab Eliot’s books – they are awesome.

Our institutions are failing to protect us. In fact, they’re not even trying. That wasn’t what I set out to discover when I started drafting my first novel. I just wanted to write a page-turner about tech startups with enough real grit to make readers think (true fans may remember that I noted my original inspiration right here in a previous guest post). To research the book, I interviewed federal special agents, financial service executives, money laundering investigators, cybersecurity experts, investors, and technologists in order to deepen the story’s verisimilitude.

The novel turned into a trilogy and along the way I discovered how fact can be far more disturbing than fiction (a point of frustration for novelists). Every day, our government officials, bankers, and corporate leaders are betraying our trust through shortsightedness and technical ignorance.

The now-infamous breach of The Office of Personnel Management by state-sponsored Chinese hackers shocked the nation. Detailed background files on more than twenty-two million Americans were stolen. The pilfered data included medical history, social security numbers, and sensitive personal information on senior officials within The Department of Defense, The Federal Bureau of Investigation, and even The Central Intelligence Agency. The national security implications are staggering.

The emperor may have no clothes but he doesn’t stand alone. Every year, hundreds of millions of dollars are spirited away from major financial institutions. The United Nations estimates that organized crime brings in $2 trillion a year in profits and the black market makes up 15–20% of global GDP.

How do cartel bosses, arms dealers, and human traffickers stash their cash? By working with corrupt insiders, exploiting legal loopholes, lobbying crooked politicians, and taking advantage of the same kinds of technical weaknesses that made the OPM hack possible. They are only able to get away with it because banks and regulators turn a blind eye or, more often, don’t even know when it’s happening.

Large organizations like government agencies and international financial institutions started incorporating software into their operations decades ago. Ever since, they have consistently chosen to pile new updates on top of old code rather than rebuild systems from the ground up. Why? In the short run, it’s cheaper and easier to address the symptom instead of the cause. Now, that shortsightedness is catching up with them.

All of this is just what we know about already. It takes a median of 229 days for data breaches to even be discovered. That’s a long time for criminals to be inside our systems, building new backdoors for future exploitation. Worse, institutions are loath to report breaches even when they are uncovered for fear that our trust in them will degrade even further.

The software powering the digital infrastructure of our institutions is a mess of half-measures, lost source code, and mind-boggling integrations. It’s like a vault built out of swiss cheese, a house resting on a matchstick foundation, or the plot of a telenovela. You can choose your own metaphor, but every hole is a VIP ticket for society’s antagonists.

And that’s not all. In a study released earlier this month, The Government Accounting Office found that many federal examiners in charge of bank information security audits have little or no IT training. They also discovered that regulators are not even doing comparative analysis on system-wide deficiencies, limiting their scope to individual banks. Worse, the National Credit Union Administration lacks the authority to examine third party service providers to credit unions, leaving large segments of their systems beyond the jurisdiction of examiners. It’s painfully ironic that at a time when the NSA terrifies us with its digital omnipotence, so many government agencies can’t get their act together for legitimate enforcement. Our watchdogs are asleep on their feet.

Whether their endgames are espionage or financial malfeasance, we’re making it too damn easy for bad guys to do their dirty work. I was only trying to make my books feel real but now reality is forcing me to suspend disbelief. It makes for great plot twists, but verisimilitude isn’t worth this level of vulnerability.

These are big problems. Big problems always represent big opportunities for creative founders. Mattermark just released their first report on the hottest cybersecurity startups. But we need fixes that are even more fundamental than security. We must rebuild the technical infrastructure and human governance systems that shape our institutions. That change might come from an extraordinarily dedicated internal leader or it might emerge from a garage in Boulder.

We need hackers, makers, artists, and independent thinkers. We need to play smarter and think long-term. We need to call our leaders to action. We need to educate ourselves and build a future in which we can thrive, not fight to survive.  

  • One of the tech themes I have when I talk to groups is that “Government is unable to keep up.” We really need to unbundle the centralized bureaucracy that government has become. It can’t respond to anything-or even pivot. Just look at the fight that is happening over the sharing economy. Belief in the effectiveness of bureaucracy versus belief in decentralization might be the most pivotal divide in our society.

    • Stephan Froede

      Unbundling bureaucracy is a great idea… Unfortunately it’s not possible to disrupt government, without starting a civil war…

      On top of all the shortcomings of governmental bureaucracies, they do react very hostile to competition, like an alternate tax collection approach…

    • The idea of unbundling aspects of currently ineffective government enforcement is one of the central themes running behind the novels.

      • I think it’s a good one. But the alternative can’t be more government. Things like the blockchain can be integral to decentralizing and solving the problems

        • Absolutely. Probably the most interesting things revolutionizing governance are happening outside of government. Blockchain is a perfect example.

          Plays like SpaceX are interesting for a different reason: they are spinning out projects that were traditionally government-run and applying the “two pizza team” approach to advancing them.

    • Rosey

      I second your ‘can’t … even pivot’ assertion. I’ve spent the last half of my professional life facilitating teams in fixing high-volume processes. Work complexity is proportional to volume (frequency), and everything the federal government attempts to do that is customer (citizen) facing requires millions, often tens of millions of cycles or more, weekly or monthly. Everything is a very large project and the legacy infrastructure is a ball to drag the size of the Death Star. The five guys that rewrote Healthcare.gov are the pattern of the solution.

  • Doug Gibbs

    Yes, “they have consistently chosen to pile new updates on top of old code rather than rebuild systems from the ground up.” Doing either is hard, and failure prone. A rewrite with “security” is not going to fix all the problems. Large IT projects cost billions and are prone to failure. Software may eat the world, but it can’t solve problems on it’s own.

    • Absolutely, a rewrite prioritizing security is not the answer. Good security is often mostly a positive externality of good software architecture. But running legacy systems where literally no current employees understand the technical infrastructure on which they depend is a disaster waiting to happen. E.g. when organizations have lost source code to fundamental parts of their systems.

  • This really gnawed at my frustration, having experienced it for 7 years from the inside at state level. After witnessing business suffer interruption of revenue at scale, and shutting down mainly due to unpreparedness to even apply for government aid, (2010 BP Oil Spill) I decided to change things. It took fighting bureaucracy, both internal and legislative level, over a 3 year span to finally pass it in legislation into law. Along the way I’d pushed and pushed the organization to fund a team of 8 specialists–a $40k training cost, begged for $5k to create a crude prototype of a $200k program for the state (with help of co-worker programmer), and we actually did it. Long story short, enter new leadership of our organization, and it all went away. I’d wasted 3 years of dedicated mission to realize I had better chance to impact change by myself from the outside far better than inside the government with 100 times the resources, just from a unique perspective on what’s broken and how to fix it. My broad view, it takes a serious level of ineptitude if I fail to improve upon a factor of zero.

    • What are you working on now? Is being outside giving you new ideas and new channels for implementation?

      • Absolutely. Outside of the knowns has allowed me to ask new questions. I have so many more ideas I want to implement. Just putting in my back pocket until time and resources meet to begin to really develop.

  • Take_it_easy

    tanium.com is an Andreessen funded startup that I believe addresses some of the security issues in this article.

  • Raul Moreno

    I posted this comment about 4months ago on LI.

    I’m a third generation soldier.

    Though often on tour, my father: the man, the soldier, the leader is whom I looked to to establish my own value system.

    His uniform was like a super heroes’ cape. His name tapes, his shield.

    Now, I find my oldest daughter wearing my patrol cap and dog tags. She wants to be a “hero” and protect people like her daddy.

    Whether the concept is welcomed or not is irrelevant.

    The fact is our service members can and will have profound affects on the lives of individuals.
    The collection of individuals may be considered a community.

    Our responsibility as service members and veterans is to groom and facilitate the growth of this community in such a way that the progress of the generations to come is efficient and scalable.

    I for one, plan to show those I affect a more sustainable path to this type of growth.

  • Felix Dashevsky

    I have to admit that having not read the books, I am not certain I follow the specific issue (I know, Brad and Eliot, I should read the books! 🙂 ). The statement “Every day, our government officials, bankers, and corporate leaders are betraying our trust through shortsightedness and technical ignorance” is fairly broad, and I wonder if it is an artifact of human pattern recognition rather than a singly-addressable or sole-cause issue. As just the most surface example, if our sensitive data is in danger of theft while in possession of the government and companies, the solutions are radically different, if not divergent. Company-level solutions should be market driven, through transparency, customer awareness, and more consumer control over personal data, likely accomplished via further technology development and adoption. Government-level solutions are not amenable to market forces or to technological innovations (and the revolutionary solutions suggested hardly augur safety of data–except perhaps through the destruction of its value). One solution here would be to reduce the role of government (perhaps that’s what “unbundling” folks mention means). But data theft is a sort of “entry-level” issue. If the books touch on money laundering, bank secrecy, market manipulation, financial instability, regulations, and cyber-attacks, I have trouble tracking a common thread that’s not a banal refrain of “technology is changing the world” (or, worse, “shadowy forces are behind everything”).

    My point is this, the modern world is hyper-complex, and in it, solutions require unglamorous, painstaking, grinding, expert, long-term work. And that work will be multi-polar and never perfect for all, because most structures are not there due to shadowy crooks, but because they are addressing the needs of multiple legitimate stakeholders. This includes our government (and more importantly, our form of government). Unbundling and decentralizing are often positive where they are possible, but they are not always possible, and there are cases where they are not positive. And FWIW, crooks have been around forever, and will be around forever.