In Steve we trust.

All of us were reminded over and over and over during the last few days that Apple has more cash on hand than does the U.S. government. This coincidence means precisely nothing to either outfit.  We won’t see President Obama asking Steve Jobs for a loan, nor will we see Steve Jobs offering one. Yes, the government is broke and yes, Apple has a lot of cash. But GE has almost $50 billion more than Apple, so where are all the GE stories?

There’s a mystery about Apple’s cash and that mystery has to do with Steve’s strategy for holding all that money.  What’s it for? The predominant theory seems to be that Apple intends to make a huge acquisition and periodically there are rumors of Cupertino buying this big company or that, with Hulu being the latest supposed target. And maybe Apple will buy Hulu (actually, I don’t think so, but let’s assume they do) but that will still leave Steve with $74+ billion, so the Apple money story won’t be going away. I think Apple has raised all that money for the sole purpose of….. having a lot of money. I don’t think Steve intends to make any major acquisitions at all, though that says nothing about a post-Steve Apple.

The Silicon Valley corporate tendency to not pay dividends and instead accumulate vast quantities of cash was pioneered by Dave Packard at HP. Starting in the late 1950s, Hewlett-Packard was raking-in the dough but it was at the time also a privately-held company with just two shareholders — Bill Hewlett and Dave Packard.  The founders could easily have demanded dividends or even, I suppose, stock buy-backs, but they were earning plenty of money and preferred to let it ride.  Going further, Packard, as the money guy, didn’t like the Wall Street trend of taking on corporate debt to fund growth.  The less you paid out to shareholders (both of them) he decided, the more growth could be funded internally.  That’s not the way they do it anymore at HP, by the way — that habit having been broken by Fiorina, Hurd, and now Apotheker, though the last can’t really be blamed because the damage was mostly done before he came on watch.

What was pioneered at HP was later emulated at Intel and every other big Silicon Valley company right up through Apple and Cisco today. And since they all did it and their stockholders made plenty of money from capital gains, nobody much complained until fairly recently when some of these companies began paying small dividends.

But not Apple.  Steve Jobs knew what it was like to be poor at Apple from 1976-77 and he knew what it was like to be really poor at NeXT in the early 1990s.  So when he returned to power at Apple in 1997 Steve embraced very conservative financial practices that kept Apple awash with cash to pay for what he was sure would be inevitable missteps. All that money was an insurance policy against Steve’s own inevitable failure.

Only he didn’t fail.

His bets were bold in scope but modest in cost and hardly ever failed.  So Apple’s cash accumulated and accumulated and accumulated until it reached the point where Jobs could no longer view it as an insurance policy. That’s when it became an acquisition fund — not because Steve had particular acquisitions in mind, but because thinking of it as being intended for acquisitions made not spending the money easier to do.

Apple could have made any number of acquisitions. Just as both John Sculley and Gil Amelio tried to sell Apple to Sun Microsystems and failed, Scott McNealy and Jonathan Schwartz tried to sell Sun Microsystems to Apple and failed.  But Steve didn’t make any major acquisitions, saying the opportunities weren’t good enough but also knowing in his heart that buying his way to scale would kill the Apple he was slowly building in his own image.

Remember we’re now 14 years into what is probably a 20-year Apple strategy.  Yes, it has evolved and expanded over time, but the strategy was always headed in the same direction.  Where the typical Silicon Valley CEO thinks about this quarter and next quarter, Steve Jobs had the leisure to think about this decade and next.

When it finally became clear inside Apple that Steve really wasn’t going to buy a big company (Apple’s biggest-ever acquisition, remember, was the recent $2.4 billion purchase of Nortel’s patent portfolio, which got Steve the IP he wanted without the lovely Canadian engineers he didn’t want) the company had to find another plausible reason for holding all that money.

And so Apple today uses its cash to buy parts in huge quantities.  Lately this has mainly meant buying flash RAM and iPhone displays in amounts that move whole markets and guarantee Apple the lowest prices anywhere.  This is important: in an era where interest rates on idling cash are averaging one percent, Apple is using its cash to get 15-20 percent discounts on parts. That’s exactly like earning a 15-20 percent interest rate.

Apple not only gets the lowest prices, they also get the most reliable supply. I won’t call it anti-trust, but I think it is fair to say Apple has an effective consumption-side monopoly for certain mobile components.

IBM tried to do exactly this back in the days of the IBM PC-AT when Big Blue bought Intel’s entire supply of 80286 chips — a bold move that backfired when Intel fell back on second source agreements and quickly doubled production.  IBM was stuck using the same 8 MHz 286 chips for nearly three years to blow through its supply, while Compaq, Dell and others jumped to the 386.  That’s when IBM lost its PC market leadership position, compounding it by requiring OS/2 to work on those stockpiled 286 chips, too.

Apple isn’t IBM.  Cupertino’s purchasing bets are bigger than IBM ever imagined and they’ve paid-off better, too, with Apple keeping an eye on the construction plans of its suppliers so it doesn’t make an IBM-type mistake.

For most Silicon Valley companies, then, holding lots of cash may increase financial flexibility and lower or eliminate short-term borrowing costs, but they also are a persistent drag on earnings just because there’s no way companies can make as much return on their cash holdings as they could make by rolling that money back into their business.  Only Apple is a clear exception to this rule.  Only Apple plays the game big and bold enough to never lose.  But to do that you have to have a bigger pot than the house, or in this case the government.

Podcast: Play in new window | Download

The world is in turmoil with the Middle East experiencing something like a social revolution, so what’s the last remaining superpower to do? I’m serious. Colonel Qaddafi is bringing heavy armor and air power to bear against the rebels opposing him in Eastern Libya and inflicting some serious casualties. The rebels are calling for U. S. air strikes or maybe a U. S.-enforced no-fly zone. But Defense Secretary Robert Gates, sitting already on two regional wars he can’t win, doesn’t want to get involved in yet another. Anything discussed so far that Obama might do will only make new enemies or long-term problems for America, but then so will doing nothing. So while the big brains at the Pentagon and White House think their deep thoughts, I’ll just throw out my own idea of what to do, which seems brutally obvious to me — electronic warfare.

The U. S. President has already come down on the side of the rebels, but setting-up a no-fly zone from the USS Enterprise parked in the Mediterranean, while feasible, is probably not practical. Libya is a big place and policing from the sky every hectare is bound to be costly and holes will be found in that defensive fabric. Another alternative would be preemptive air strikes to take out the Libyan Air Force so it no longer presents a problem. If either of those moves are being seriously debated I am sure the Pentagon is suggesting they be done together as a one-two punch.

But think about the strategic goal here, which is simply to level the playing field. If the people of Libya want Qaddafi out, then it is up to them to push him out, with the most democratic conflict being man-to-man, not tank-to-man or MiG-to-man. That’s where electronic warfare comes in.

While the United Nations and NATO come to their own policy positions, here is what I would do were I the Commander-in-Chief. In the middle of the night (tonight!) I’d send stealth aircraft and drop electromagnetic pulse weapons on all 13 Libyan Air Force bases as well as on selected Libyan Army bases and current battlefield targets. It’s hard to imagine needing more than 24 devices. These devices would destroy all command-and-control capability on both sides, fuse all military electronics, take out the mobile and wired phone networks, and probably shut down large parts of the Libyan electrical grid, ideally with little loss of life.

There are two ways to inflict such electromagnetic damage: 1) detonate a nuclear device in the atmosphere high over Libya, or; 2) use quite simple explosive devices pioneered in Russia and Los Alamos in the 1950s, each capable of doing the damage of dozens of simultaneous lightning strikes.

I’d choose door number 2.

By dawn, with the exception of the odd surviving tank, the Libyan war would be down to boots and AK-47s with the victor being he who commands more of both.

One more thing, though. If I were the President and ordered such a strike, I’d also order that it remain a state secret, which is the only reason that stealth aircraft would be needed — to avoid a radar record of the attack.

Maybe the Libyans will pretend nothing happened. Maybe they won’t know who to blame. Ideally they’ll just fade away.

Podcast: Play in new window | Download

Last week the Obama Administration announced that it would be shortly submitting legislation intended to force providers of all kinds of digital communication services (mail, voice, chat, Twitter, etc.) to install back doors in their services to allow government monitoring of all encrypted digital communication.  No explicit details were given of how this is going to work, nor has the actual legislation yet been introduced.  Hopefully it never will, because it simply won’t work.

It’s not that such technical back doors can’t be written (they can), nor is it even so onerous to force communication providers to change all their software since these services are rewritten often anyway.  The problem is that such back doors will simply force terrorists and privacy freaks to roll their own encryption products often using technology that is already in the public domain and readily available.

All Osama has to do is encrypt his messages with a product like Pretty Good Privacy (PGP) before sending them.  With tens of thousands of suspicious techies already using PGP and similar products, real terrorist communications will get lost in the flux.

For those who are unlikely to show such technical initiative, the feds may force Verizon, Google, and even Skype, to install back doors, but they can’t do so as effectively to two-guys-in-a-garage web encryption services that appear and disappear overnight and are given away for free.

Only the dumb crooks will be caught and at a terrible cost to the rest of us.

I have been covering this story since the Reagan Administration and in that time law enforcement has consistently worried about a growing technology gap that would keep it from intercepting criminal communications. A variety of standards have been proposed over the past 30 years with the general goal being to monitor virtually all communication in real time, something the National Security Agency is rumored to be capable of doing right now.

While this may seem very reasonable in a post-9/11 world, it isn’t.  First there is the proposed scale of these activities, which is massive.  As far back as the first Bush and early Clinton Administrations law enforcement agencies pushed for the capability to intercept up to 10 million simultaneous communication sessions.  Yet according to a Congressional report issued annually on federal wiretaps, fewer than 2,000 legal taps have been ordered in any year.

Such an expansion of federal wiretap authorizations was ludicrous then, when there wasn’t the law enforcement manpower to implement it.  And today when automation can probably replace manpower, making 10 million simultaneous wiretaps maybe a breeze to do, there are even more reasons to decry it as an invasion of privacy and even a possible violation of the Constitution.

When encryption is made illegal (that’s where this trend threatens to go) its presence creates a situation where we are guilty until proven innocent.  That’s when encryption may well give way to obfuscation — hiding secret communications in plain sight in a process known as steganography — with the next terrorist plan easily hidden in the background noise on a Miley Cyrus music video.

Even if there were actually a backdoor for Internet communication services, it would eventually be used and abused by both the government and hackers. That would make government communications equally insecure — a huge threat to national security.

This is simply not a tool we need.

Podcast: Play in new window | Download

Later today the Obama Administration will reportedly announce major changes in the U. S. space program that may amount to the effective end of manned space flight after this decade. As a guy who has been trying to mount his own mission to the Moon I’m not yet sure how I feel about this. Maybe it is a great opportunity, but probably not.

The FY2011 federal proposed budget will be published with the following changes:

– NASA’s Constellation program to replace the Space Shuttle will be cancelled and all hardware development will be stopped including Ares 1, Ares 5 and Orion.

– There is no real post-ISS program. Maybe something will happen past 2020 but that is for the next administration to figure out.

Where NASA goes other space agencies will follow (the Europeans, Indians, even the Russians, possibly leaving only the Chinese still headed to the Moon). The Moon is out as a destination, considered by some as too hard and others as too boring. Over the next two years we will see a serious drop-off in interest expressed by various groups (like the Google Lunar X-Prize effort).

This has happened before: back in 1990s everybody was into Mars missions (NASA, other government agencies and private groups). When NASA lost interest in Mars around 2001-03 and turned to Moon other nations followed.

On one hand this pending announcement is terribly disappointing. There is a very high chance that we will see an end to U. S. human spaceflight within the next few years. But it was probably inevitable. NASA is too screwed up to do anything else without a major restructuring and that would require spending too much Presidential capital in this terrible economy.

My Moon mission, of course, is still on.

Podcast: Play in new window | Download

The Department of Homeland Security (DHS) said this week it will hire up to 1,000 cybersecurity experts over the next three years to help protect U.S. computer networks. This was part of National Cybersecurity Awareness Month and the announcement was made by DHS Secretary Janet Napolitano, who also said they probably won’t need to hire all 1,000 experts, which is good because I am pretty sure THERE AREN’T ONE THOUSAND CIVILIAN CYBERSECURITY EXPERTS IN THE ENTIRE FRIGGIN’ WORLD!!!!

So I polled six old friends who ARE cybersecurity experts and they kinda-sorta agreed with me.  More on this below.

But first I have to marvel that I even know six cybersecurity experts and — even more amazing — I’m pretty sure they don’t know each other. They seem to be like badgers, solitary creatures who only come out to mate.

They are cynics, too.  One questioned the term “cybersecurity” as being inappropriate.

“(It) depends on your definition of expert,” said expert number one, who works deep in the military-industrial complex. “If you mean someone who can spell ‘cyber’ then sure (there are 1,000). If you mean those who know that ‘cyber’ is short for ‘cybernetics’ and has little to do with computers then probably not. I still occasionally use the title ‘Cybernetic Psychophysicist.’”

Sure enough, there’s a very detailed definition of cybernetics here and it doesn’t intrinsically have very much to do with computers or networks, though don’t tell that to the DHS without first taking off your shoes and placing the definition in a one quart plastic bag.

“Duh!” said expert number two who has spent his career at telcos and cable companies. “Of course.  You got it right.  I doubt there are 1000 in the world.  There are a lot of wannabees, or folks who think they are…”

“Define ‘expert,’ said another friend from behind Door Number Three, who comes from the security software business. “(An expert is) a person with a high degree of skill in or knowledge of a certain subject.  Great, but the question is all about scope. I may be an expert cook – but can I run a kitchen? Same thing with security there are tons of experts – in specific areas. I was an expert in AV, IDS, and other areas. But I was not the all knowing security guru. (even though my knowledge base was very broad). This is where we run into unintended actuated consequences. An expert will make a choice and take an action.  The end result may not be what they had anticipated because of other factors beyond the realm of their expertise caused an unanticipated consequence.

“Example: I am forced to use low sulfur gas because the experts say it produces 20 percent less harmful emissions. Too bad they did not notice it has a lower power quotient then a normal gas blend. As a result I use 30 percent more gas that is 30 percent more expensive (and puts four percent more sulfur into the air).

“So I believe there to be less then 30 real experts in security, but there may be well over 500 subject matter experts and perhaps another 1000 sous-security people.”

Now I brought in the big gun — expert number four, an independent security consultant to foreign governments:

“My bet is that they are going to just pull the bodies from the Department of Defense and Department of Energy,” he said.  ”DoD has established a number of credentials required to be classified as a security specialist like CompTIA Security+, CISSP, etc.  None of this stuff has any practical application because it is hardware/software neutral.

“Even if a government agency, (over 550 or them) allows you to sniff their network, are they going to let you evaluate the applications for bugs?  I don’t think so.  Without scrubbing the software with products like Ounce Labs (owned by IBM),  what is the point of evaluating the network?

“Another item of great importance is a security clearance to do the work. This is where you will get only one brand of thinking; DoD or DoE clearance. This will prohibit the security “black hat” types from ever being involved in the project without coming from the DoD or Energy.

“So you will end up with 1,000 Security Managers in the government with Sec+, and CISSP certifications, talking to cisco, Juniper, CheckPoint, Tipping Point, Microsoft, Oracle, Ounce Labs, etc. security professionals at $300 an hour doing the actual work. That’s 1,000 jobs for window dressing, releasing reports that end up on Drudge Report listing the number of breaches in Federal Government Agencies.

“When you look at the private sector protection of data standards for items like credit cards you have real teeth in your regulations.  You don’t have to take credit cards, but if you do then you need to be PCI compliant. Don’t want to be PCI?  No problem we won’t allow you to use our credit cards. Where will that type of enforcement be with the wall of 2,000 eyes protecting the USA?”

No there won’t be (this is Bob again) because governments are required to provide services to their citizens. Even the DHS can’t shut down the government to cure a security breach, though I am beginning to believe they haven’t yet figured that part out.

“I’m not sure there are even a handful (of experts) with any sort of broad experience,” said expert number five, who is usually associated with security hardware. “There probably are pockets of them, with specialized narrow experience, e.g. in banking, virus or DOS attacks, military networks, etc.. And even if there were 1,000, what would they be doing on behalf of Uncle Sam?”

That’s a great question given that we as a nation can’t seem to hire and keep a national cybersecurity czar. So what are we doing hiring 1,000 experts given there is no boss?

While it is great to have a Cybersecurity Awareness Month, whatever that is, and it might be great to add a thousand “experts” to protect our nation, if you look deeper into this story it is for the most part BS or HS and, I fear, CS to boot.

Look, the number of CCIE’s with security as a certification is 2,300 for the entire world. Subtract the 50 percent who work for cisco, then 50 percent again for those not working in the field any longer, and you get 500 cisco CCIE Security Experts worldwide. The only way to get another thousand in three years is by training them. But in the last four months with 800 available seats to sit for the cisco CCIE Security exam only one person has passed!

The DHS is extremely unlikely to be able to find and train 1,000  cybersecurity experts in three years. Maybe they’ll come up with 100 (more likely 5-10), but the DHS environment will make it unlikely — very unlikely — that all of those 100 will stick around.

Secretary Napolitano says she might not need all 1,000, which to me says she is really looking for 3-5 people.  And frankly that ought to be enough if they are truly experts and are both properly led and supported (which they probably won’t be).

So this is the wrong approach entirely. It won’t work, the DHS probably knows it won’t work (if they don’t know that, well God help us all) but they see it as better than nothing. That doesn’t worry me so much, though. What really worries me is the point brought up by cybersecurity expert number six, who himself came in from the cold:

“Sure there are 1,000 (cybersecurity experts),” he said, ” but they are already employed… as hackers.”

Today is the Labor Day holiday in the USA, so to honor the more vulnerable parts of our society and economy I’m engaging in this fantasy rethinking of our current economic crisis.  If only……

When the “unsinkable” ship Titanic hit an iceberg and sank on its maiden voyage in 1911, as any teenage girl will tell you, the rich people got nearly all the lifeboats (except for John Jacob Astor IV who ordered another drink, giving up his seat), dooming the lower-class passengers including, of course, poor Leonardo DiCaprio. Much the same thing seems to be happening in the case of the current economic crisis, where the people who are hurting the most seem to be getting the least.  I’m beginning to believe the crisis could have been fixed quicker and cheaper simply by helping the women and children instead of the bankers.

This began as a mortgage crisis.  Lenders dropped their standards on loans, giving them to people who shouldn’t have qualified (yes, they applied for those loans so are also culpable), driving housing prices up in a bubble that eventually popped and here we are with eight percent of all mortgaged houses in foreclosure and home prices down 30-40 percent from two years ago.  The technique our government used to deal with this was to prop-up the bankers, not the borrowers.

Why?

That’s a question I have been asking all over and the smart money answer generally comes down to: 1) that’s the way the system is set-up; 2) that’s the way we’ve always done it, and; 3) it would be too complex to deal with individuals — better to deal, instead, with a few dozen banks.

Why?

The system was widely perverted to deal with the current crisis; it wasn’t “business as usual” at all.  Companies that weren’t (and still aren’t) bank holding companies were declared to be so and got money from the Fed and Treasury as a result.  Same for insurance companies and brokerage firms and car companies that remained as they were but got money still from the Congress or through sleight-of-hand by Fed chairman Bernanke.

Doing things “the way we’ve always done it” is what got us into this mess.

And the miracle of information technology makes it just as easy to send money to people as it is to take it from them in the form of taxes.  Saying that a bank has to be in the middle makes no sense at all. PayPal would gladly assume that function, if it is truly needed.

I’m beginning to realize we could have taken a completely different approach to the problem and simply treated the symptom, inserting what computer jocks call a “wait state” into the mortgage system so panic could subside, rational adjustments could be made, and life could be eased back to normal.

Remember that economies are cyclical and a lot of good financial planning is simply having enough reserves to survive until things get better.  That could have been our major economic tactic in dealing with the crisis in 2008. Instead of pumping $700 billion to $1.3 trillion (nobody knows the real number) into economic stimulus and bail-outs, the U.S. government could have simply paid everyone’s mortgage — EVERYONE’S — for six months.

There are 51 million mortgages in America and the average mortgage payment in 2006 was $1686, so paying everyone’s mortgage for six months would have cost $516 billion — hundreds of billions less than the Bush/Paulson/Obama/Geithner/Bernanke plan, and quicker, too.

The money that people would otherwise have used to make their mortgage payments could have gone in part for other things, making it effectively a huge economic stimulus in its own right.  With mortgages paid in full there would have been no foreclosures OR bank failures during that six month period.  Yes, there would still have been problems with the banking system that needed  correction, but there would have been six months to do the correcting.

Lehman Brothers would still be in business, Bear Stearns, too.  Merrill Lynch would be independent. AIG would not have failed. Even Bernie Madoff would probably still be in business — at least for awhile.

So why didn’t we do it that way?  Because it would have been putting women and children first.

I need a drink.

Podcast: Play in new window | Download

This is the first of probably three columns on health care.  The Obama Administration right now has in Congress legislation for reforming the U.S. health system so that sets my agenda. But the point of these columns isn’t to comment, per se, on the current proposals, but instead to look at what I believe to be my two areas of some strength — Information Technology and understanding complex systems — and see how they can be applied to this problem.

And it IS a problem.  That’s the only part of this debate that all sides agree on.  The doctors feel beleaguered and Lord knows that sick and uninsured people sure do, too.  Even corporate fat cats are appalled at the explosive growth in health spending which today takes more of our GDP than any other expense category, costing approximately $2.5 TRILLION per year.

So if we can all agree on the goals of better and more efficient health care with some way to make it available to the largest possible number of people, the question then becomes what’s the best way to do that?

Government isn’t very good at answering such questions, but then in many cases neither is industry if their business model has to include ever-increasing earnings.

Imagine, just for a moment, what the U.S. health care industry would look like if it were managed solely by that paragon of capitalism, Goldman Sachs.  The 48 million Americans without health insurance would probably be ignored completely while those who could pay more would get boutique medical services beyond belief and doctors would come to rely on substantial year-end bonuses.  For some, such a system would be better but for most it would be worse, though supremely profitable.  And when that “most of us” come to constitute most of the American working population, too, it will ultimately come to effect U.S. productivity and then we’re hosed.

So while it is convenient and fun to criticize government programs, let they who are without sin cast the first stones.

There are some things government is actually good at, among which are setting goals for good behavior.  The Clean Air Act and Clean Water Act in the 1960s changed America for the better by setting environmental goals then letting the marketplace figure out how best to reach those goals.  Without a target and a penalty for not reaching it, we wouldn’t have improved our environment as much.

So let’s step gently into this health care debate by looking at one area where Information Technology is central — health records.

There are lots of advantages to computerizing health records.  A couple of years ago I visited the Mayo Clinic in Rochester, Minnesota, to discuss this very issue.  Mayo has been in the forefront of digitizing all of its six million patient records.  This is a bigger job than most of us realize since it involves not just blood tests and doctor’s notes but also X-Rays and CAT scans.

Mayo, which was a century ago the first clinic in America to standardize the way it kept records in the first place, is also at the forefront in creative ways to use those records once they are in the system.  You see Mayo doesn’t have six million patients, they have six million patient records — many of those being records of people long dead.  But keeping extensive records of dead people creates a powerful database for statistical testing of possible treatments and even drug interactions.  “Surely in those six million records there is something similar to this medical mystery we are trying to solve today.” And often there is.

Figuring out from an analysis of records that combining drugs A, B, and G sometimes kills people can be good to know.

Mayo is taking the process even further to include DNA data for many patients with the goal of being able to statistically identify genetic trends within the population through records analysis.

That’s the good side.  The negative side of all this record keeping is that many people see it as a possible invasion of patient privacy.  This is what led to the Health Insurance Portability and Accountability Act (HIPAA) of a few years ago which forced health providers to be more strict in how they managed health records, adding at the same time about $25 billion per year to the cost of keeping us all in the system.

Hey, isn’t Information Technology supposed to SAVE money?

Sometimes.  Ideally, it should.

So medical records are an area where IT could make us healthier and, if done correctly, ought to save lots of money, too.  What we need is some form of centralized medical record keeping that preserves patient privacy yet, at the same time, keeps us from shopping all over town for bogus Oxycontin prescriptions.

Here is an ideal opportunity for government to set a standard for medical records and possibly even to develop medical records software, though I don’t think it has to go that far.  What’s required is a specification that would allow health care providers to interface with a medical database, knowing how to insert and retrieve data.  It’s a specification, NOT a national database.

And here’s what we do with the specification.  We establish that patients own their own records.  Supposedly they already to but doctors and clinics do a darned good job of keeping us from moving by retaining those records.  Under my system we’d take the records away from the health care providers entirely, at the same time relieving them of the need for records clerks and much of their current HIPAA responsibilities.

Then we’d let a thousand databases bloom.  Organizations could establish health record databases compliant with the Federal standard but not otherwise subject to Federal control.  These databases could be accessed by any authorized medical care provider — authorized by you.

Patients could decide where they’d like their health records to reside, with that service possibly becoming a perk for membership in certain organizations.  So you could keep your health records at the National Rifle Association, for example, while I might keep mine at the American Civil Liberties Union (or at Pep Boys, whichever is cheaper).  If you are worried about government snooping, trust your records to an organization mortally opposed to government ANYTHING.

Record access becomes a lot like an electronic funds transfer.  Banks have spent a lot of money working-out the technical details of giving and denying access to databases with a variety of key systems.  You give your doctor access to records of a certain kind for a certain period of time and that’s it.  The system ought to work well for everyone.

And it even can be the basis of new types of business.  I can see third-party outfits popping-up to parse your records (at YOUR request) to look for likely genetic problems or for past and present medical mistakes concerning multiple prescriptions, bad drug interactions, etc.  Here $10 per year could save hundreds — maybe thousands — of not just dollars, but lives.

And what does this record system look like, when you come down to it?  It’s the World Wide Web — medical records as a web app.  And one thing we know about web apps, as opposed to any kind of medical technology — the price only drops over time.

More to come.

Podcast: Play in new window | Download

There was lots of good discussion last time about cyber warfare, cyber security, and U.S. policy, but what most respondents seemed to miss was the international nature of the IT business — all the outsourcing and offshoring that we were told was so great — and its implications for U.S. security.  The upshot is that any U.S. cyber warfare czar will have to effectively function as a WORLD cyber warfare czar, a fact that neither Republican nor Democratic Administrations have yet been willing to embrace, at least in public.

Forget for the moment about data incursions within the DC beltway, what happens when  Pakistan takes down the Internet in India?  Here we have technologically sophisticated regional rivals who have gone to war periodically for six decades.  There will be more wars between these two. And to think that Pakistan or India are incapable or unlikely to take such action against the Internet is simply naive.  The next time these two nations fight YOU KNOW there will be a cyber component to that war.

And with what effect on the U.S.?  It will go far beyond nuking customer support for nearly every bank and PC company, though that’s sure to happen.  A strategic component of any such attack would be to hobble tech services in both economies by destroying source code repositories.  And an interesting aspect of destroying such repositories — in Third World countries OR in the U.S. — is that the logical bet is to destroy them all without regard to what they contain, which for the most part negates any effort to obscure those contents.

You can have 1000 safe deposit boxes with only three holding anything of real value, but that obfuscation is meaningless if the target is ALL safety deposit boxes.

To this point cyber security conferences tend to concentrate on intelligence (probing attacks to learn about a potential enemy, gather information and map defenses) and tactical deployment (using that intelligence information to blind, disable, or defend some network resources in what’s usually perceived as an encounter lasting hours).  There is little to no regard for strategic use of cyber warfare as in the India-Pakistan example or the nuking of source code libraries.  We don’t talk about it because it is too horrific, not because it can’t happen.

The result, of course, is that any major power has to be concerned about the cyber security of all its technology partners, which over the last decade has come to include a lot of Third World nations.  Try to do a security audit of Argentina or Bangladesh and see what nightmare is unveiled.  Yet this is exactly where major international companies are deploying more and more technical resources.

The military answer of course is to isolate network traffic, as many readers have suggested.  But how do you enforce that in other countries?  And how effective is it at all against a strategic attack on essentially commercial resources?  Not very.

This is not a battle but a war and wars take a long time to prepare for and wage.  As readers have pointed out we’re not just concerned with malware and viruses but even hardware-based attacks. Who knows if that flash memory from Malaysia or that router card from Taiwan is compromised?  Who CAN know?  And if you’ve found one hardware exploit in a product does that mean you’ve found all that are there?  Hardly.

One point of view is that this makes both old tech and traditional firepower more valuable.  Analog systems, for example, are unlikely to be compromised by digital exploits. And 2000-pound bombs are a pretty darned effective response to a cyber attack IF you can clearly identify the attacker and figure out where to drop the bombs.  Both effects tend to neutralize the effect of advanced systems, making Syria a more effective opponent against Israel, AND push superpowers toward brandishing their biggest guns — nuclear weapons.

So cyber warfare is internationally destabilizing in whole new ways with the world being dramatically less safe as a result.  This works mainly to the advantage of the bad guys.

Then there’s the Code God Effect — the potential strategic impact of a single programmer with commanding skills.  That very guy or gal who typically is the creative heart of an entire company (but they never admit it) because he is the equivalent of 100 average coders can be the secret weapon in a cyber war, too.  And the distribution of such megabrains is random enough that to say one or more aren’t working right now in North Korea would be a bad bet — one that a nation like the United States would be unwise to make.

We see the Code God Effect happening right now with publicized Chinese Internet incursions and those are just amateurs: the real damage is being done by much more skillful players we have yet to even detect.

What this means for any major power is that they aren’t as powerful as they think they are and that power is even less across borders.  There isn’t a U.S. agency I know of — ANY agency — that is prepared to win such a war against a clever and determined opponent of almost any size.

If the game is U.S. versus Albania, who wins?  I don’t know.

We need new tools and new weapons.  We need to find ways of changing the battlefield to negate opponents (this is HUGE), not just shooting back.  We need leadership that understands this.  Maybe President Obama understands it, maybe not.  He hasn’t demonstrated yet that he does, at least not to me.

Let’s hope that’s just part of an incredibly clever master plan.

Yeah, right.

Podcast: Play in new window | Download

Billy Mitchell was an iconoclastic American military airman from the early 20th century.  He was a firm believer in military air power and was ordered court-martialed in 1925 by President Calvin Coolidge for criticizing his military superiors over the issue.  My kind of guy. Gary Cooper played Mitchell in a 1955 movie, by which time everyone knew he had been right all along.  My fear is that when it comes to cyber warfare there is no Billy Mitchell today in Washington.

Cyber warfare was big news last week.  President Obama said he would name a cyber warfare czar to be a single point of contact on the issue for his Administration and that person would have direct access to the President.

If only that were true, but it isn’t, and the U.S. will be endangered as a result.

Billy Mitchell’s argument was that aircraft would come to play a huge role in modern warfare, supplanting battleships at sea and artillery on the ground. Air power was so important, Mitchell argued, that there should be a single air service to develop and deploy aircraft as needed in any war.  This still hasn’t fully happened, of course, though Mitchell’s work did directly lead to the creation of the U.S. Air Force in 1947 — 22 years and one world war after his court-martial for suggesting it in the first place.

The problem with Obama’s cyber czar is that the Administration is CALLING the position a priority but not MAKING it one.  The position has in some accounts been called a “member” of the National Security Council, but the czar is also said to “report” to both the Director of National Intelligence and to the President’s Senior Economic Adviser.  Well you can’t be ON the council and also REPORT to those guys — one of whom is on the council and the other is allowed to drop in if he feels like it.

In short, this is an NSC staff job.

Obama said the czar would have “direct access” to him, but didn’t say how.  At best I think they’ll pass in the corridor.

This is no czar.  That’s literally the case, of course, because nobody has yet been hired for the job.  But it is also the case that the job will — as the NSC is organized — not have the power needed to do what must be done.  Czars are dictators; this guy can only recommend and even then he’ll be recommending to people who may not then bother to inform the President.

If the cyber warfare czar is, in fact, a czar, the first thing he or she should do is give himself a promotion, which won’t happen.

In the meantime there are competing interests at the Department of Defense, the National Security Agency, the CIA, the Department of Homeland Security, the Department of Justice, and possibly elsewhere.  Each of these agencies is building its own cyber warfare capability, each with a different agenda both stated and real.  The stated agendas are to play either cyber defense or offense.  The actual agendas are to protect departmental turf from the new cyber warfare czar, to undermine him or her.

Let’s go back to Billy Mitchell for a moment and think about how the technology of aerial warfare came to be in his era.  Most of the military services developed their own air capability as lip service to the idea while actually protecting major — and antiquated — weapon systems.  The U.S. Navy bought some planes and built some aircraft carriers, but not at the expense of battleships.  Even when naval air power came to the fore during World War II it was almost an accident, since the only surviving capital ships in the Pacific after the attack on Pearl Harbor were aircraft carriers, the battleships having for the most part been destroyed.  So the Navy had to rely on air power since that’s the only power it still had.

They weren’t smart at all, just lucky.

It is rare in U.S. military history for a technological innovation to come down on our side.  That’s because as self-designated good guys we are generally playing defense and defense doesn’t usually get the cool new toys.  It’s only in the U.S. development of nuclear weapons that we got a jump on the rest of the world — a jump that put us firmly in control for half a century (now past).

We are woefully unprepared for cyber warfare mainly because the military doesn’t want to lose funding for its other weapons — weapons that are likely to be rendered unusable or, worse still, actually used against us in a cyber attack.

Yes, it is that bad.

The best position here is to make cyber warfare a real priority, give the cyber czar some actual authority, and have him or her report to the President.  Otherwise the lessons of Billy Mitchell will have been forgotten and our first cyber war could be our last.